Group based rules don't match when authenticating via a shared LDAP configuration and a shared authentication profile.
Issue
Group information is not carried over different virtual systems which is why rules configured to allow or deny groups of users will not match in the policy
Resolution
Configure VSYS specific LDAP authentication profiles instead of the shared profile.
Note: In some cases only one vsys may be seen, though the authentication profile is still configured as a "shared" profile. This may happen in cases where the firewall was once configured as a multi vsys device, and so a shared profile was created. At a later time the multi vsys configuration was removed so though there is only one vsys. However, the authentication profile will still show as 'shared', considering it was configured when the device was set for multi sys. In such cases, make sure that the LDAP authentication profile is configured for that 1 vsys rather than a shared profile.