I need to implement something like this.
Any member of any of N groups can access a host https://host.samples.com/* for exception that the following specific resources only accessible by users from a corresponding groups. i.e.
https://host.samples.com?gr=group1 is accessible by users from group1
https://host.samples.com?gr=groupN is accessible by users from groupN
So far any user get authorized for a group related URL because I have a rule to authorize /* resource for anyone in the groups and then a specific policy doesn't even kickes in.