There are a few ways to do this, but Identity Manager uses the Identity - the Employee object, for this type of automatic assignment.
Be sure to plan the overall deployment for what makes sense in the particular environment. The process may be different than described here depending on the business requirements.
One of the initial steps would be to configure an account definition so that any ADSAccounts that should receive group membership via inheritance, have the "Groups can be inherited" flag checked:
There is more on this here: Creating a formatting rule for IT operating data
Additionally, a simple approach is to create a Business Role that will be automatically assigned to Employee objects. Business Roles can be assigned group objects that can then be inherited by the associated ADSAccounts of the Employees who are assigned to this Business Role.
There is more information on this here: Creating dynamic roles
As well as here: Assigning employees, devices and workdesks to business roles
Thus a straightforward method is to create a Dynamic Role so that any Employees (and their respective ADSAccount) will receive (inherit) the group membership.
Here is a step by step process:
1. Create the Business Role with Dynamic Role and create the condition (WHERE clause) to add any required Employees, e.g.:
The Business Role:
The Dynamic Role, e.g.:
** Optionally, an account definition could be assigned to the business role as well. That way, any Employees assigned to the role will inherit the account definition. If they don't have an ADSAccount it will create one; if they do it won't do anything - but the important part would be the "Groups can be inherited" flag can be checked for all these accounts.
2. Once the Employees have the role and account definition assignment the Group can be assigned to the Business Role and that way the inheritance to any assigned Employees (ADSAccounts) can be completed.
** Another way to do such assignments is by an organization such as Department or Location. In each case it's important that the ADSAccounts have the "Groups can be inherited" flag checked - and this can be accomplished for multiple accounts using a technical definition.
Final result with Group and Account Definition assigned to the Business Role: