Why does a policy trace not match a rule based on username or group when the trace shows the user as authenticated.