I am going to accept https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-allow-traffic-from-specific-LDAP-us... as the solution as it did answer my question... however... by adding a user account from local ldap groups causes the FSSO agent to search for that user and only displays the first find. not much use as will be an issue for users connecting from multiple devices or VPN so going to stick to FSSO doing groups and now see multiple entries for myself and will just need to create a new AD group for individual requirements.
when i configure FSSO agent with user group source "Collector Agent" all of my users are populated and the policy works. but if i use the same setting for FSSO agent and select an ldap server and some groups/users I get this.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.