Changes made to the LDAP server tree are not reflected in policy actions on the ProxySG.
The LDAP Realm information is held in its own RAM instance not associated in the Authentication Cache.
If a change is made to the configuration of the LDAP server (e.g. a GROUP is added), then the LDAP Realm information on the ProxySG needs to be refreshed to reflect this.
This can be done by rebooting the ProxySG appliance, though this can be a bit of a drastic solution in a production environment.
To refresh the information without rebooting, make a change to the LDAP configuration on the ProxySG to force a refresh.
Do this by adding a bogus Base DN and then removing it. For example, if the Base DN is already dc=emea,dc=lab,dc=com do the following to force a refresh:
1) In the Management Console, select Configuration tab > Authentication > LDAP > LDAP DN tab.
2) Click the New button.
3) In the popup, add a new DN (which does not have to exist). For example, use dc=users,dc=lab,dc=com.
4) Click OK and then Apply.
5) Select the newly added DN, and click the Delete button.
6) Click OK and then Apply.
The LDAP Realm instance on the ProxySG should now be refreshed.
Note: If the change was for a specific user who is currently logged into the ProxySG, it may be necessary to log them out in order for them to get the new attributes (e.g. Group membership). To do this, select Statistics tab > Authentication > Display by user button (or Display by IP).