You might want to do some rule tracing and specifically look at the group list retrieved for the request. This is at least important for Active Directory because the LDAP query only retrieves security groups, and if some domain admin changes a key group at some level in the group hierarchy to some other type, the group you're testing for won't be there. This has, in fact, happened, and it only became apparent after doing a rule trace and specifically examining the retrieved group list.
The issue is when the system is connected on open internet and not corporate. So the traffic is not going through the on premise McAfee web gateway but on the cloud. So I have no clue where could we run the rule trace in case of cloud??