Certain users getting "access denied" messages from Cloud SWG accessing resources they should be allowed access.

Content filtering policies allowing access based on group memberships.

Cloud SWG event viewer confirms that all failing requests with the DENY verdict show no group memberships, despite showing valid username.

Auth Connector enabled and integrated with Microsoft Active Directory.

Auth Connector.

Microsoft Active Directory.

Cloud SWG.

Active directory using nested groups, which are unsupported by Auth Connector.

Make sure that all Active Directory (AD) groups referenced by Cloud SWG policies (groups of interest) explicitly include the authenticated Cloud SWG users.

When the Auth Connector returns group information to Cloud SWG, it is only sends back 'groups of interest' associated with the authenticated user. The Auth connector is aware of all groups assigned to Cloud SWG policies for that tenant, and checks whether the users groups match any of these.  

When using AD nested groups (process of making one AD group a member of another group) and the users groups returned do not match any group referenced in the Cloud SWG policies, then no group will be assigned to that user and group based policies will fail.

To verify whether the correct groups are sent back, auth connector debug logs can be enabled and a search for the 'Group Membership:' string performed - this will indicate whether the user is a member of any of the Cloud SWG groups of interest. In the example below, Cloud SWG group policies reference multiple groups from Group.example1-5, but the authenticated user is only a member of Group.example2.

2024/11/26 16:07:36.894 [10736] Group Membership:
2024/11/26 16:07:36.894 [10736] Group no: 0, member: no, valid group name: 'Group.example1'
2024/11/26 16:07:36.894 [10736] Group no: 1, member: yes, valid group name: 'Group.example2'
2024/11/26 16:07:36.894 [10736] Group no: 2, member: no, valid group name: 'Group.example3'
2024/11/26 16:07:36.894 [10736] Group no: 4, member: no, valid group name: 'Group.example4'
2024/11/26 16:07:36.894 [10736] Group no: 3, member: no, valid group name: 'Group.example5'

If the user is a member of a nested group that includes Group.example2, a match would not be found and the Cloud SWG proxy would be unaware that user is a member of Group.example2.