Policy Verification Error: "Only User Groups are allowed as Source in VPN and Client Authentication Rules"
Access Roles for the Identity Awareness enforcement cannot be used in rules where the VPN column contains a community (Remote Access or other).
To add users/groups as source for Remote Access VPN rules:
Right click in the source column of the Rule Base and select Add Objects > Legacy User Access
In rules with Access Roles, set the VPN column to "Any Traffic".
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.