I was able to reproduce the issue now.
It looks like the problem is caused when the user is also imported directly.
So basically some permissions are granted via an AD group, another on the directly imported user.
I'll grab the logs and will open a case with reference to this thread here.
Here is how I reproduced it:
- Imported AD group with my user in it: granted permission on one environment of one test application
- imported my user that is also in the group directly and gave him no permissions yet (next test would have been to grant it permissions only on another application, but the error already occured)
=> Granting my direclty imported user ONLY permissions on the application, not the environment itself, alraedy solves the issue
Because granting the permissions on application level is enough, I would assume that the ROC actions somehow fail to grab the union permissions, if the imported user as no permissions at all on the application itself. It might be, that the permission check goes in order, to first check the directly imported users and then the ones being part of AD groups. So the first check fails, because the user simply can't even see the application, if only the imported user is taken into account