Policies must be assigned to a User Group before they take effect. Once a policy is assigned to a User Group, the members of the group will have their access governed by that policy. See Users and User Groups for details on assigning policies to a user group.
If a user belongs to more than 1 group, the more permissive policy out of the groups they are assigned to will apply to the user.
Policy 123: Allows access to servers 1 2 3.
Policy 456: Allows access to servers 4 5 6.
Group A: Group is assigned Policy123.
Group B: Group B is assigned Policy456.
User belongs to both Group A and B. This allows user access servers 1 2 3 4 5 6.
Then, create Policy Deny 1: Denies access to server 1.
Assign Policy Deny 1 to Group A. User will only have access to 2 3 4 5 6.
If Policy Deny 1 is switched from Group A to Group B, user has access to 1 2 3 4 5 6.