hi jesse,
it would be a great improvement in DLP profile management to be able to use AD atributes or group to manage profile assignement but for now it is not.
I think that only way to do what you want is to update DLP database using a home made script (in older DLP version i was able to mimic browsing through DLP UI pages to perform some extract automatically but it was so tricky and so many update in following version that it does not work anymore). There is two tables to be updated :
UserRoleMapping : in order to assign user to role
ProtectUser : in order to update defaultroleid field
(may be there is some other table to update but i dont think so, it has to be tested)
So your script has to access AD information (directly or via falt file) then analyze who should have which profile and then check in DB if everything is ok or not. If there is something to be updated you may go through a third party system to request the update (or validation) or do it automatically in the DB. You should implement some control to be sure that role is existing (for example after a new organisation definition)...
Of course updating directly DLP DB is never a good solution, but when it is the only one this could be a solution waiting for DLP tool to get this new capabilities.
Regards
PS : i can perform some test on my side as i am sure many DLP customers would be interested in it (in europe managing departement and country segregation looks sometimes crazy)