User Groups are where all of the access policies' permissions take effect.
A User Group is given a Policy, then Users are assigned to the User Group. Now the user will have the permissions specified by that policy.
Policies are assigned to User Groups for each Context. So a Manager User Group would need to have a policy assigned to it for the "mgr" context, and for members of that group to access pages on the front-end it would need to have at least load, list and view permissions to the "web" and any other front-end contexts.
Make sure to update the User Group and double-check its Permissions tab to make sure it has the correct Access Policy for every context you need.
Resource Groups are connected to User Groups, and any resources assigned to a given Resource Group are visible only to Users who are members of the associated User Group. Manager Users will only have the permissions to act on the Manager that their User Group's Policy allows, and will only be able to access Resources that are assigned to a Resource Group that is connected to their User Group. Unassigned Resources are available to everyone.