The server uses the following properties to determine which client connection policy should be associated with a client connection:

evaluation-order-index
An integer value that specifies the order in which the client connection policy will be evaluated relative to other policies. Each client connection policy must have a unique evaluation-order-index value.
connection-criteria
An optional set of criteria that indicates which connections are allowed to be associated with the client connection policy. That criteria can take several things into account, including the address of the client, the connection handler that accepted the connection, whether it is communicating with the server over a secure connection, whether the client is authenticated, the authentication mechanism, the location or content of the authenticated user’s entry, the groups in which that user is a member, and the set of privileges that they have. If the client connection policy is not associated with any connection criteria, then it matches any connection. See the Connection criteria section of this document for more information.
terminate-connection
A Boolean value that indicates whether to terminate any client connection in which the client connection policy is the first one to match the client connection.

Whenever the server accepts a connection, it iterates through all enabled client connection policies in order from lowest evaluation-order-index value to highest. The first policy that the server encounters that either does not have connection criteria or that has connection criteria that matches the client connection is assigned to that connection. If the connection cannot be associated with any client connection policy because all enabled policies have criteria that do not match the client connection, or if the first matching policy has a terminate-connection value of true, then the connection is terminated.

After processing each bind operation (which might change the authentication state for the client connection) as well as after each StartTLS extended operation (which might change the communication security for the connection) the server re-selects the client connection policy to use for that connection. It might assign the same policy or a different policy to that connection, or it might terminate the connection.