How to Apply ZTNA to Specific Users

We are currently in a trial period for ZTNA. We want to use this to replace VPN access for users in a hybrid and remote situation. All of our endpoints have all of our licensed "modules" by default (ZTNA, Encryption, Intercept X, etc). As a result, when a resource is created for anything, all endpoints are having this traffic caught by the ZTNA agent and blocked since they are not part of the test group that has access. How can we setup the resources/endpoints/gateway so only the ZTNA agent only works for specific users? Any suggestions, advise, or clarifications would be greatly appreciated.

Thank you.

Added TAGs
[edited by: Raphael Alganes at 7:13 AM (GMT -7) on 2 May 2024]