Today in AA you can only define an LDAP "Base DN"
To better support complex LDAP hierarchies and the diverse sorts of user communities under them them (service accounts, employees likely spread across multiple geographic OU's, customers, suppliers, etc), being able to apply an LDAP Search Filter would significantly improve AA customers' ability to prevent unwanted users from being presented to AA while also being able to simply use the top of the Tree structure as the Base DN.
Same for the LDAP Repo's Group objects and their associated optional Base DN -- it should be able to have a declared LDAP Filter as well to vastly improve processing performance in large AD and eDir trees where the 10's of thousands of unnecessary groups could be excluded while still declaring the Group object search path as the top of the LDAP Tree.
Any large organization like ours is going to have relevant users and groups scattered all throughout the Tree, so declaring to top of that Tree as the Base DN is a given. Never-the-less, a simple LDAP Search Filter declaration would give us real power to dramatically trim the processing time and overhead for LDAP Synchronizations, as well as controlling AA's overall visibility.