Symptoms

Random cases of user's inability to start process when process start rights granted via Domain Users group, with the following error logged in K2 host server log:

24408 K2:DOMAINUser from XXX.XXX.XXX.XXX:YYYY does not have rights to Start Process PROJECTProcess
 

Diagnoses

Essentially this issue supposed to have underlying root cause, meaning that user group membership information in Identity table was expired, outdated or incomplete - to find it you need to look at your ContainersExpireOn setting and calculate when last identity update was performed and then parse ADUM logs to find its root cause, but issue could be really intermittent and not a subject for quick fix.

There are two different resolving scenarios that could cause issues:

1. Resolving the group's membership
2. Resolving the user's containers

(1) As you use Domain Users group it should never be resolved in full by itself by K2 unless you trigger resolution of this group with some scripts. But for group in general its MembersResolve timeout should be looked at. By default refresh happens every hour - There is a possibility that an error occurred and wiped all the members for Domain Users, or AD for some reason didn't return all users.

(2) ContainersResolved timeout should be looked at - Could be that error occurred or that AD for some reason didn't bring back Domain Users as one of the user's groups.

In theory both for (1) and (2) it could even be that a SQL error is causing the updates into table being applied incorrectly.

If you can track down that an error did occur at some stage for either domain user resolving or for the user that gets the start rights error, then we can debug this further, possibly full LDAP query logging will help show what is going wrong.

WORKAROUND: Replace Domain Users group with Everyone object for Process Start rights assignment. Essentially it bypasses all group membership checks in external systems and allow to perform requested operation to any user which exist in K2.
 

Resolution

Consider adjusting your identity cache settings to be more aggressive and check for issues related getting data from source external provider (AD DS). As a quick workaround/solution switch to use of Everyone K2 object for granting process start rights.