When the ProxySG appliance connects to BCAAA, it sends BCAAA a list of all the groups referenced in policy. These are called "Groups of Interest.”
BCAAA creates a mutex for each Group of Interest. An ACL is placed on the mutex such that it allows only the specified group access.
Following a successful authentication, BCAAA impersonates the user and attempts to access each mutex; this lets Windows handle the complexities of nested groups. Nested groups are therefore not an issue for IWA realms.