The Groups Authorization Manager works by requiring an optional set of scopes and a group to allow access.
If one or more scopes are configured then any request being authorized needs to contain all scopes in the list. This is checked independently from what type of operation is performed. Once the scopes have been authorized, the groups claim or the urn:se:curity:claims:admin:groups claim is evaluated to determine what groups the requesting user belongs to. These are matched against the rule-list of groups to determine if the group has access, and what type of access should be granted.
The group rules are configured as a list, if a group in the presented token matches an entry in the list the authorization rule is applied.
Each rule defines what CRUD (Create, Read, Update, Delete) operations that can be performed for that group:
A special case is allowed which is the * group. This matches any group.