The local account in smartzone is used as reference account for privileges. If you change password of account in RADIUS/AD, you don't have to change anything in SZ local user.
AAA server is required to send an attribute back to the SZ that maps the AAA
account to a local admin account on the SZ. Then the local admin account on SZ
is mapped to an admin role on SZ which defines the permission.
In 5.x version and above to simplify this deployment,
If you choose "Default Role mapping" AAA users will be automatically mapped to default local user/group permission even
if the AAA server does not use mapping attributes.