This is expected behavior.
Role memberships are managed as resource associations between Roles and Trustees (Roles and Accounts). Only managed Roles or Accounts can be added as members of a security role.
To support the Symantec Management Platform scenario where you want to add a user or a domain group to a security role, perform the configuration steps below:
1. Configure an Active Directory import rule to import the domain group.
a) Go to SMP Console>Actions>Discover>Import Microsoft Active Directory.
b) Use or create a ‘Role and Account’ AD Import rule.
c) Select the Domain Group (in this case it should be a Security Group for it in AD) and run the AD Import.
This creates a Symantec Management Platform Role/Account for the domain group/user.
Members of the domain group are created as either Roles or Accounts.
2. Add the new role created by step 1 to the appropriate Security Role.
If you want to add a domain group named “Testers” to the Symantec Management Platform role, do the following:
1. Configure a ‘Role and Account’ AD Import rule to import the “Testers” domain group.
This creates a new Role named Testers. The new role contains all of the members of the “Testers” domain group.
2. Add the new “Testers” role to the Symantec Management Platform role, for example Symantec Administrators role.
a) In the SMP Console, go to Settings>Security>Account Management.
b) Under the treeview>Account Management, click on ‘Roles’.
c) Find the “Testers” Domain Group Role created from your ‘Role and Account’ AD Import rule.
d) Under the ‘members’ tab you should see all the users and other groups that are associated to that ” Testers” Group role.
e) Under ‘Members Of’ tab, add the Security Role desired.
Article URL http://www.symantec.com/docs/TECH144089