As maxscale authentication is currently designed the DBA, must maintain 2 accounts for every user if you want to limit their access by IP instead of using a wildcard host, 1 account with truehost_ip and 1 account with the maxscale_ip.

Two issues I have with this:

1) Additional workload created for me as I have two accounts for every user.

2) The passwords for these accounts must be the same.

This is a problem when the user wants to change their own password.
When I create a new user, I generate a random password and then advise the user to change it using (SET PASSWORD = password_option).

I don't want to know their password. In this situation, this command will only update the password for the maxscale_ip account, since that is how their session is connected.

I will have to either give them permission, and explain why, they will also need to execute SET PASSWORD FOR '<user>'@'truehost_ip' = password_option, or they must tell me their new password and I have to set it myself.

On the other hand using wildcards is an unneeded and in some cases unacceptable security "loosening".