Users in a group are not authorized to access the Nifi UI if policy is defined for a LDAP group in Ranger . Specifying the user works without any issues.
This is currently a known limitation in the way groups work between NiFi and Ranger. When NiFi is using an external authorizer it only knows the user's identity string and defers everything else to the external authorizer (Ranger), but Ranger needs systems to pass the user's groups on the authorization request so that it can evaluate the request with the groups against the local policy cache.
Just wanted to close the loop on this issue as LDAP-group based policies is supported. This functionality is in NiFi 1.4.0 and HDF 3.1.1 (NiFi 1.5.0 component):