Within the EEM GUI, there are users that show to belong to dynamic user groups that they shouldn't. The DUG policy for the groups in question do not include the user or any other group for which they are a member in the identities list.
Release : 12.0
Component : WA AE/AUTOSYS RELATED EEM
Login to EEM as eiamadmin under the application containing the DUGs in question.
Go to the Manager Access Policies -> Permission Check
Resource Class: SafeDynamicUserGroup
Resource: <name of dynamic user group in question>
Identity: <name of user in question>
Click "Run Permission Check"
And select "Display debug information"
Then you should be able to see the user details including all their group memberships
along with the policy that either is granting them access or denying them.
Then review that policy to find if there is a misconfiguration.