Symptoms

Users in a SharePoint group are unable to start a process, despite that SharePoint group being given Process Start rights.
 

Diagnoses

K2 blackpearl tracks group membership via the Identity Service. Groups are stored in the Identity Cache, and those groups' members are periodically resolved and cached in the database.
If the SharePoint group was not already stored in the Identity Cache (in the K2 database), granting process rights to that group will not add it to the Identity Cache. Therefore, the group does not get resolved, and no membership is cached.
 

Resolution

The "ForceIdentityServiceRefresh" tool was provided to manually force the cache to update.
The tool "expires" the selected identities (sets their "ExpireOn" values in the Identity.Identity table to the past). Then, it makes a call to K2 to request details about the user/group. Since that identity is now "expired" in the cache, it forces the Identity Service to call back to the user store (AD, SharePoint, etc.) to retrieve current information.
It then writes that current information to the Identity.* tables and updates the "ExpireOn" values to the interval specified in the Identity.CacheConfiguration table.