How does EEM determine what level of access to grant if a user is a member of more than one group?

Or if the object attempting to be accessed is within multiple policies?

Autosys 11.x 12.X
EEM 12.X

There are multiple factors to consider.

Start by determining if the Use best match evaluation algorithm is enabled for the policy type being configured.

Example:
EEM UI -> Configure -> Applications -> WorkloadAutomationAE -> as-appl

If "Use best match evaluation algorithm" is enabled then the policy that contains the most matching characters with the resource attempting to be accessed is the one that determines if access is granted or denied.  

If "Use best match evaluation algorithm" is off then if ANY policy grants the user access to the resource then they are granted access, unless there is also a deny policy.
Deny policies are evaluated first.  
If one is found the evaluation is stopped there.

If more than one policy contains the exact resource name and the best match is enabled then if either policy grants the user access they will have access.

If the user is a member of more than 1 group and each group has a different level of access to the resource a union of access is granted.  
Unless the policy were to contain specific filters granting access to one group with the restriction that they not be a member of a secondary group.

Sample Filter:

WHERE  (dug:Name==val:DEV
AND  dug:Name!=val:TST
AND  req:action{}val:read,write)

The result would be members of the Dynamic user group DEV would have read and write access as long as they were also not members of the dynamic user group TST.

For more details on EEM policies see the following urls:

https://techdocs.broadcom.com/us/en/ca-enterprise-software/other/Embedded-Entitlements-Manager/12-6/programming/policy-evaluation/how-policies-are-evaluated.html

https://techdocs.broadcom.com/us/en/ca-enterprise-software/other/Embedded-Entitlements-Manager/12-6/programming/policy-evaluation/policy-matching/how-the-best-match-algorithm-is-evaluated.html