Currently DPA can only map to groups on the AD side. It would be nice if it could be more granular than that and map to individual users as well.
