I need to implement something like this.
Any member of any of N groups can access a host https://host.samples.com/* for exception that the following specific resources only accessible by users from a corresponding groups. i.e.
https://host.samples.com?gr=group1 is accessible by users from group1
https://host.samples.com?gr=groupN is accessible by users from groupN
So far any user get authorized for a group related URL because I have a rule to authorize /* resource for anyone in the groups and then a specific policy doesn't even kickes in.
Just to clarify, you are limiting the access based on the query string? If so, you can create realms with respective query string as resource filter, then configure the rule and policy for each realm.
Thanks for the idea, I used subrealms it works.