A user is added to a new group in AD, but the user retains original access to the site as if the group was not added.
Access to a site is incorrectly denied or allowed after a user is newly added to a new group that should change this result.
Edge SWG (ProxySG) with Kerberos authentication
The Kerberos ticket is set when a user logs on to their PC. When added to a group in AD, this new group membership is not reflected in the current Kerberos ticket, and therefore the value for the new access is not reflected when this is decrypted by the proxy.