Avoid these pitfalls
Most issues come from mixing up Policy vs RBAC, or forgetting scope, assignment, and effects. Policy does not equal access control (that's Role-Based Access Control (RBAC)). Definition must be assigned. Scope limits where rules apply. Effect decides: Audit vs Deny vs remediate.