If a host is being used with different logged-on users and a different network access policy is desired, review the following.

Example:

Upon importing LDAP groups, handle groups by placing them into 'Type: Host' because they are tied to a host. FortiNAC does not have a direct way to associate the host with a user, so it is possible to create roles to accomplish this association

Solution: 

1. Navigate to Policy -> Roles.
2. Select 'Add' and input a Role name and select the correct LDAP group.
3. Resync the Active Directory.

Due to the solutions for logged-on users being via captive portal, persistent agent, or 802.1x, the 'registered to' value will remain tied to the initial user that registered the host: Technical Note: Solutions for tracking logged in users.

Registered to the user ID of the user to which this host is registered: Settings.

Who/What By Group 'Host or User groups where the host or user must be a member to match this profile: User/host profiles.

However, because the host is tied to the original user1 LDAP group. It will be necessary to add a condition to the Who/What in the user tab.

For example: user1 is part of role FNAC_LAB. The role per logged-on user is dynamic and follows the user vs the host role will be tied to the user in which the host was registered review the host record below:

User 1:

User 2:

Host record: Notice the host is tied to the owner of user1 and its role.

Related documents:
Technical Tip: Assign Roles based on User LDAP Directory Attributes.
Guide: Assigning Roles