While configuring
Group Mapping in the
Cloud Identity Engine performs username-to-user group mapping,
those user groups do not populate to security policies. To simplify
the creation or modification of group-based policies, you can use
a Master Device to add the group names to drop-down lists in security
policy rules. You need to designate a firewall as a Master Device
for each device group. After you add a Master Device, the device
group inherits all policies defined on the master device; for this
reason, it should be a standalone, dedicated device to be used for
that device group.