It was pointed out that our default policy set was not configured for best practice.  We had been pointing the default authentication to our RSA service.  In an attempt to change the default to deny access, I had to come up with a limiting method to prevent unnecessary/unacceptable request from being passed to the RSA service.  I thought I would use an AD group as a userid cache to qualify what userids would be sent onto the RSA service.  In addition, I am focused in the device admin section and the authentication I am handling is a tacacs communication.  As I dug into it I quickly discovered I could not manually define an AD group criteria nor could I use the previously created AD identity groups that I use in the authorization policy sets.  In fact, no identity groups are available when clicking on that icon in the authentication set.  My sad work around is this:  because we have standardized user account name, I took the tacacs username and qualified based on matching beginning characters of the usernames... While this works, that set is far greater than the userids I want to forward to our RSA service.  Is this limitation engineered by design?  Am I looking at Authentication in the wrong way?