If any user or group specified in the policy-being-created (or updated) does not exist in Ranger, currently the policy is created (or updated) after ignoring non-existent users and groups.
This causes the REST client creating the policy to assume the policy was created as given. However, since the created policy doesn't include some users/groups, some users will not be authorized by the Ranger policy as expected. For example,
1) create a policy that grants select access to user1 on table accounts
2) perform select on table accounts as user1
Step #2 above will fail if user1 did not exist in Ranger at the time the policy was created. Instead of ignoring the non-existent users/groups, policy creation should fail - so that the caller will be able to do necessary corrective action or retry after a wait (to give time for the user to sync from LDAP/Unix to Ranger).