an easy way to this is a rule that diferentiates by user:
if authenticated.username = bob, allow URL.Category (Social Media)
For the rest of you users, just block the category.
This approach is more holistic than going by app control. If you want to have more granular control for this user in what he can use in a particular app, then use appcontrol.
Actually that is the current setup. But say a company only allows users to access social networks for business works using the company's own social media account.
This is to assure at least the management that users are not using their permissions to access social networks for personal stuffs.