Symptoms

User doesn't have rights to Start Process but I've granted start to all domain users
 

Diagnoses

This is most likely caused by the fact that K2 group membership cache is not fully resolved/updated. This issue is especially often crops up when Domain Users group is used to grant process rights, which is quite often used for such purposes. Domain Users group in large scale enterprise environments contains very large number of users and it takes a lot of time to fully resolve it.
All current versions of K2 (upcoming 4.7 including) rely on identity cache (Identity.Identity table) for wide range of operations as direct calls to AD DS or any other provider are very expensive (i.e. have high latency) so if you just added your user to some group it is not immediately reflected in K2 cache and cached results will be returned to you. Both user and group has corresponding entries in Identity.Identiy table and in this case we want to look at user's ContainersResolved flag and group's MembersResolved flag (I hope flag names are more or less self explanatory).
For example if your group has MembersResolved flag = 0 it means that no group membership information has been ever requested yet (no such information in cache) and first use of this group which requires it to be resolved (i.e. use of this group in a destination rule with the "Resolve groups/roles to members" option selected or execution of UMUser_GetGroupUsers SmO) will trigger synchronous call to AD DS to resolve group membership to AD DS, this is the only time when we waiting response from AD DS. Once it is completed this info recorded to the cache and returned by K2 to requesting component. From now on we have MembersResolved=1 and all subsequent calls will be served from identity cache and cache will be updated only after group cache interval expire (by default 1 hour time to fully resolve your group). Subsequent calls (after first time synchronous resolution) will be served from cache even if it is expired and in parallel asynchronous call to AD DS will be performed and cache will be updated with any changes as soon as this process completed, this is why at the very least your group membership will be updated only in 1 hour time to resolve your group (this can be significant for Domain Users).
NOTE: It is normal for Domain Users group to have MembersResolved=0 flag as this group is rarely being used in K2 in a way which requires it to be fully resolved.
 

Resolution

What is suspected happened in this case is that this user made a call, a worklist retrieval perhaps, before her membership in that group got properly resolved effectively catching the Identity cache refresh in flight and this broke her membership.

When dealing specifically with process rights where all users should be able to start it, you can make use of the "Everyone" group. This is a special K2 group which you can use to indicate that all users should be able to do the configured rights without the overhead of going to the provider (AD DS) or making use of cached data.
This special group is surfaced when configuring process rights in Workspace. This "Everyone" group provides similar functionality as "Authenticated Users" special identity from Windows/AD but it is not a windows group or something this special K2 object.