We should use UserID object to identify users instead of username.

components/policy/core/common/cloud/cloud_policy_validator.h

Index: components/policy/core/common/cloud/cloud_policy_validator.h
diff --git a/components/policy/core/common/cloud/cloud_policy_validator.h b/components/policy/core/common/cloud/cloud_policy_validator.h
index 31db8bcce3ab933ecd3d0c714023fe9185a8fc41..b54920739a92d71be40847d51a5544b5d62ad603 100644
--- a/components/policy/core/common/cloud/cloud_policy_validator.h
+++ b/components/policy/core/common/cloud/cloud_policy_validator.h
@@ -16,6 +16,7 @@
 #include "base/sequenced_task_runner.h"
 #include "base/time/time.h"
 #include "components/policy/policy_export.h"
+#include "components/user_manager/user_id.h"
 #include "policy/proto/cloud_policy.pb.h"
 
 #if !defined(OS_ANDROID) && !defined(OS_IOS)
@@ -126,10 +127,10 @@ class POLICY_EXPORT CloudPolicyValidatorBase {
                          base::Time not_after,
                          ValidateTimestampOption timestamp_option);
 
-  // Validates that the username in the policy blob matches |expected_user|. If
+  // Validates that the user id in the policy blob matches |expected_user_id|. If
   // canonicalize is set to true, both values will be canonicalized before
   // comparison.
-  void ValidateUsername(const std::string& expected_user, bool canonicalize);
+  void ValidateUsername(const user_manager::UserID& expected_user_id, bool canonicalize);
 
   // Validates the policy blob is addressed to |expected_domain|. This uses the
   // domain part of the username field in the policy for the check.
@@ -286,7 +287,7 @@ class POLICY_EXPORT CloudPolicyValidatorBase {
   int64 timestamp_not_after_;
   ValidateTimestampOption timestamp_option_;
   ValidateDMTokenOption dm_token_option_;
-  std::string user_;
+  user_manager::UserID user_id_;
   bool canonicalize_user_;
   std::string domain_;
   std::string token_;