Group policies does not work, but user-based policies work. When policies are evaluated from top to bottom, group-based policies get ignored and the global G4 rule is hit.
When auth connector fails to connect to data center where user/member is connected or unable to connect remote AD server, Web Security Service (WSS) does not get information about groups he belongs to. WSS does not have mapping of which users/members belong to which group. So, group-based policies can not be evaluated.
Web Security Service(WSS)
Authentication via Auth connector
The auth connector needs to find out why there is connection failure in between auth connector and the data center. There may be multiple reasons for this failure including heavy CPU, memory load or out of storage which can be found out in windows event logs. There could be networking errors. bcca debug logs should be generated and checked to find out connection problems.
To gather auth connector debug logs, check How to gather Cloud Auth Connector debug logs for WSS