This article assumes that you're already configured to use Ranger authorization in HDF 3.0.x or earlier and that Ranger instance is syncing the available users/groups with your Directory Server. In order to leverage policies defined with these groups, we'll need to upgrade to HDF 3.1.0 or later and migrate your configuration to utilize a new Ranger authorizer in NiFi.
In short, you’ll need to update your authorizers.xml file to configure a userGroupProvider and modify your authorizer to be a ManagedRangerAuthorizer. The idea is that previously an Authorizer was configured which was responsible for making access decisions, managing policies, and managing users/groups. Whether or not the Authorizer supported managing policies and users/groups was optional. The default File base authorizer supported this. The existing Ranger authorizer did not (it only made access decisions).
For HDF 3.1 we decoupled these concepts so you can independently configure the Authorizer (makes access decisions), an AccessPolicyProvider (manage policies), and a UserGroupProvider (manage users/groups). Documentation exists for these three concepts and includes examples .
What you’ll need to do is update your authorizers.xml and add a UserGroupProvider to bind your users/groups from your Directory Server that Ranger is syncing to. There are a couple detailed examples of binding users/groups from a Directory Server using the LdapUserGroupProvider. Searching for this term in  should direct you to the relevant examples.
Following the concepts defined above, the ManagedRangerAuthorizer will act as the AccessPolicyProvider (since the policies are defined there) and the Authorizer (Ranger ultimately makes the access decisions). To configure your ManagedRangerAuthorizer, we can take your existing configuration for RangerNiFiAuthorizer and 1) modify the class and 2) add a reference to your LdapUserGroupProvider. The remainder of the configuration should remain unchanged. This should look something like this:
<class>org.apache.nifi.ranger.authorization.ManagedRangerAuthorizer</class> <!-- 1) UPDATE CLASS NAME -->
<property name="User Group Provider">ldap-user-group-provider</property> <!-- 2) REFERENCE USER GROUP PROVIDER -->
<property name="Ranger Audit Config Path">…</property>
<property name="Ranger Security Config Path">…</property>
<property name="Ranger Service Type">…</property>
<property name="Ranger Application Id">…</property>
<property name="Ranger Admin Identity">…</property>
This is all that you should need to do. In totality, the structure of your authorizers.xml file should looks like this: