From Michael Zimmerman...
The LDAP User Role Filter is matching against the group name, not the individual user accounts within the group(s). So for example below…
A group called “Grp1” in AD and the user “GRP1 Admin” is a member of the “Grp1” group. The search base is the OU named “MZIM”…
Create a LDAP User Role Filter to look for “Grp1” group from AD (should be able to use starts with or matches as the operator)….
Any user that is a member of that “Grp1” group, should get pulled into UCSD as a “Group Admin” (in my case I chose Group Admin Role)….because that group matches the LDAP User Role Filter. Any other user(s) in other groups in the OU will by default get imported as “Service End-Users” into UCSD.