To configure Group Mapping on the device. Go to Device > User Identification > Group Mapping Settings
Click Add at the bottom.
Select the LDAP Server Profile
Optional Add User Domain (NETBIOS Domain Name) from Windows AD.
Then go to Group Include List Tab and Under Available Group either Search or Browse to the security group, highlight and click plus sign to add the group (recommended to add group include list in a large AD environment due to idmgr limit).
Verify the device can pull the group information by running the command:
> show user group list
which populates all the groups the device is pulling from the AD server.
Go to Policies > Security.
Click Add for a new policy or click an existing policy to add the groups.
Under the Policy > User > Source User, click Add. The drop down populates available groups.
Configure the security policy with the groups to be restricted.
Additionally security policies can be configured with users to be restricted. You need to manually type the username of the user, and the user will auto populate. Drop down will not populate Users, as it only auto populates User Groups.