Comment 1 for bug 625363

In trunk and in rel_1_6_0, the action.find_hold_matrix_matchpoint loops first over the requestor object's permission group and ancestors and for each group queries the config.hold_matrix_matchpoint for a match. This looping stops when the requestor runs out of ancestor permission groups or when a matchpoint is found as demonstrated by the following code on line 158 for 110.hold_matrix.sql:

EXIT WHEN current_requestor_group.parent IS NULL OR matchpoint.id IS NOT NULL;

This means that any matchpoints applying specifically to the requestor's group will take precedence over any matchpoints that apply to broader permission groups.

This means that you will need to use caution when setting the requestor_grp field in config.hold_matrix_matchpoint, and possibly duplicate any matchpoints applied to ancestor permission groups to ensure that the proper rule is always used.

My suggestion would be to not use the requestor_grp field, setting it always to 1, so that it matches for all users if you can.

Another option might be to remove the OR matchpoint.id IS NOT NULL on line 158. This would cause the function to loop over all matchpoints for the user's group and ancestor groups and then use the matchpoint with the lowest weight score.