Rundeck ACL to limit LDAP groups to specific projects

Question

I'm having trouble constructing an ACL policy that will let members of 2 LDAP groups access 4 specific projects. Our version is Rundeck 4.12.0. If anyone could give me a pointer on where I''m making mistakes in the following .yaml config I'd appreciate it.

I've followed the examples detailed here: https://resources.rundeck.com/learning/acl-policy-files-by-example/ but on login, my test user who is a member of one of the specified groups get the message: You have no authorized access to projects. Contact your administrator. (User roles: qa). Here is my aclpolicy:

description: System-level read access to specific project
context:
  application: rundeck
for:
  project:
    - equals:
        name:
          - qa
          - qa-sql-cron
          - staging
          - staging-sql-cron
      allow: read
by:
  group:
    - developers
    - qa
---
description: Project-level Access to Create and Delete Jobs
context:
  project:
    - equals:
        name:
          - qa
          - qa-sql-cron
          - staging
          - staging-sql-cron
for:
  resource:
    - equals:
        kind: job
      allow: "*"
by:
  group:
    - developers
    - qa

Answer 1

Based on this, the following definition is the easiest way (tested on Rundeck 4.12):

description: project context.
context:
  project: '(ProjectONE|ProjectTWO|ProjectTHREE|ProjectFOUR)'
for:
  resource:
    - allow: [run,read]
  job:
    - allow: [read,view,update,run]
  node:
    - allow: [read,run]
by:
  group: [group1,group2]
 
---

description: app context.
context:
  application: 'rundeck'
for:
  project:
  - allow: read
    match:
      name: '(ProjectONE|ProjectTWO|ProjectTHREE|ProjectFOUR)'
  storage:
     - allow: [read]
by:
  group: [group1,group2]