Proper Policy Bindings Help

[gdeeble]

I have a simple policy for validating if the IP is internal using the tutorial from Authentik's documentation but when I bind it, I can't seem to get it to work. I've tried setting my policy engine to "ALL" but then users that should be able to get it internally get access denied.

My end goal is to have the app show when on the internal network and only to those users with the proper AD groups.

1. Must be internal
2. Must be part of App Users or Admins
3. Can be part of App Admins

My set up:
AD groups:

• APP-App_users (Grant users access to the app)
• GRP-Admins (Group so I don't have to add admins to the user groups)
• PRM-App_Admins (Permission group to grant users admin access in app)

Policies:

• Policy-Internal-Network

Configuration:

• Policy Engine: ALL
• Policy-Internal-Network | Position:0 | Negate Results: Off | Failure Result: Don't Pass
• GRP-Admins | Position: 1 | Negate Results: Off | Failure Result: Don't Pass
• GRP-App_users | Position: 1 | Negate Results: Off | Failure Result: Don't Pass
• PRM-App_Admins | Position: 2 | Negate Results: Off | Failure Result: Don't Pass

I've tried a combination of Negate Results off and on as well as failure result pass or don't pass but I have not successfully achieved my goal of check the network, then check if they are part of the Groups, then check if they are part of as the app admin group.

If there is a better way or handling this, I am open to better practices, this is just set up based on me trying to keep things organized(kinda lol) and little tiny bits that I've seen over the years. If any anyone has any good tutorials for policy bindings, I am open to looking over them as well rather than just handing out an answer.