I am not sure if having Source NAT enabled on that interface will take precendence over a firewall policy for that user role. However, if you are willing to test, the syntax would be below. The below will take user traffic to any destination on port 443 and use a NAT pool as well as change 443 to 4343 on the outbound.
ip access-list session <policy name>
alias "user" any "svc-https" dual-nat pool "pool-name" 4343