You can do the following :
You need to make sure CCPM it's already part of the domain and it's able to read attributes from AD , if this is already setup just follow these steps
Create a Role Mapping
Then add the rules that will match in AD
Create a role
Create an enforcement profile
Add the attributes that you want to match VLAN and USER-ROLE created in the controller
Create a enforcement policy and add the enforcement profile already created
Add the rules to the enforcement policy to match the Role you created under CCPM (AD Test Group)
And Finally add this role to the Service