By default the Auth Connector (BCCA) will forwards all the users and group names to the portal.
This article explains how to sync only selected group or user names with the cloud portal.

Web Security Service

By default, all the domains in the forest and all the groups and users within those domains are returned to the cloud portal for use in policy creation.
To configure a limited set of domains, groups, and users to be returned to the cloud portal use the following sections in “bcca.ini” file from the installation directory.
 
; [Groups]
; DOMAIN1\Group1
; DOMAIN2\Group1
 
; [Users]
; DOMAIN1\User1
; DOMAIN1\User2
 
You could edit the bcca.ini file and add the Domain\User or Domain\Group names here. Both groups and users must have a domain name specified. There are a few stipulations to keep in mind:

• If groups or users are specified then only the domains specified are returned to the Portal. In the example above only DOMAIN1 AND DOMAIN2 is returned.
• If other domains exist in the forest then no groups or users are returned for those domains.
• If groups are specified for a specific domain then only those groups are returned for that domain.
• If users are specified for a specific domain then only those users get returned for that domain.
• If groups are specified for a domain but users are not for that domain, then all users from that domain are returned.
• If users are specified for a domain but groups are not for that domain, then all groups from that domain are returned. In the example above all users in DOMAIN2 would be returned.

Note: You cannot specify individual Organizational Units (OUs) in Active Directory to be synchronized. Since Auth Connector only looks at the down-level format of the username and group (DOMAIN\User or DOMAIN\Group).