We populate users into their groups via the use of "special groups" on the fly (as part of Shibboleth authN integration into DSpace) and had been noticing that the mapped users cannot gain access to their resources despite they have the aforementioned groups in the special group.
Temporary fix for this is to persist the group membership, e.g.
int groupIDs = AuthenticationManager.getSpecialGroups(context,request);
Group g = Group.find(context, groupIDs[i]);
This is not ideal, it would be better if the special groups are loaded/integrated into Group.isMember(eperson), or Group.isMember(groupid), etc calls. These isMember seem to be only honouring explicit users assigned in DB. Currently special groups only included in Group.allMemberGroupIDs and isMember(context,groupid).