If you encounter a scenario in which the server seems to exhibit a behavior that is not in-line with the expected access control configuration, you can use the Debug ACI Logger to obtain detailed information about the access control decisions the server is making.
You can do this with the following configuration change.
dsconfig set-log-publisher-prop \ --publisher-name "Debug ACI Logger" \ --set enabled:true
After you enable it, this logger records information about its access control decisions to the logs/debug-aci file. Because the server can write huge amounts of data to this file on a busy production server, you might want to try this on a separate instance that has been populated with the same set of access control rules. Alternatively, you can configure the logger with criteria that only matches the operations you are trying to investigate.