Regarding #1, I had this requirement with a customer of mine. They were looking to do a "bulk" upload of between 50 - 100 users, and they also use AD Authentication. Since there's no standard way, I resorted to creating a script to do it. I just have them create the list of users in a CSV, including which role they want each user to be in, then parse that out into SQL statements which I run directly on the database to insert the users. It's not an "ongoing" process, more a one-time load, so it didn't make sense to refine it further than that.
On #2, you're right. The only way to do this is to create unique roles for each manager, or department. Might I suggest that if it's at a level where there are 100's of "units", that maybe you're too low in the organization for this to be effective. It might require a new organizational role which is responsible for managing DLP incidents across multiple units, etc. Not that I'm trying to mold the org to accomodate a limitation in the system, but I see a lot of problems with having that many users managing incidents (training, consistency of use, application of standards, etc). If these were just users from a reporting standpoint, and not actually acting on and remediating incidents, I might suggest use of the Reporting API might be a good alternative and give you a little more flexibility.
Just my opinion.
~Keith