Indeed Certificate Manager uses a mechanism to issue device policies to users. Each policy contains card operation parameters: a list of CAs and certificate templates, PIN installation requirements, a list of actions with the device available to the user, etc. Each policy has its own scope of action. For the Indeed CM user directory in Active Directory this is:
Domain
Container
Organizational Unit
All users located in the policy object will be issued devices with the parameters defined in the policy. The Policy can apply to the entire object (Domain, Container or Organizational Unit), or to specific groups of users within it. The user who falls under the scope of several device release policies (e.g., is a member of two groups located in the same OU) will be affected by the policy with the higher priority.