Defining policy rules based on group membership rather than on
individual users simplifies administration because you don’t have
to update the rules whenever new users are added to a group. When
configuring group mapping, you can limit which groups will be available
in policy rules. You can specify groups that already exist in your
directory service or define custom groups based on LDAP filters.
Defining custom groups can be quicker than creating new groups or
changing existing ones on an LDAP server, and doesn’t require an
LDAP administrator to intervene. User-ID maps all the LDAP directory
users who match the filter to the custom group. For example, you
might want a security policy that allows contractors in the Marketing Department
to access social networking sites. If no Active Directory group
exists for that department, you can configure an LDAP filter that
matches users for whom the LDAP attribute Department is set to Marketing.
Log queries and reports that are based on user groups will include
custom groups.