How does EEM determine what level of access to grant if a user is a member of more than one group?
Or if the object attempting to be accessed is within multiple policies?
Embedded Entitlements Management
There are multiple factors to consider.
Start by determining if Use best match evaluation algorithm is enabled for the policy type being configured.
Example: EEM UI -> Configure -> Applications -> WorkloadAutomationAE -> as-appl
If "Use best match evaluation algorithm" is enabled then the policy that contains the most matching characters with the resource attempting to be accessed is the one that determines if access is granted or denied.
If "Use best match evaluation algorithm" is off then if ANY policy grants the user access to the resource then they are granted access, unless there is also a deny policy. Deny policies are evaluated first. If one is found the evaluation is stopped there.
If more than policy contains the exact resource name and best match is enabled then if either policy grants the user access they will have access.
If the user is a member of more than 1 group and each group has a different level of access for the resource a union of access is granted. Unless the policy were to contain specific filters granting access to one group with the restriction that they not be a member of a secondary group.
The result would be members of the Dynamic user group DEV would have read and write access as long as they were also not members of the dynamic user group TST.
For more details on EEM policies see the following urls: