Can you try not grouping the single field (group name = admin).
Advanced policy is not SoD so there won’t be a concept of “conflicting” access table (left and right), instead the policy criteria is evaluated as a whole once before applying the changes once after (during LCM as preventive) and only once during refresh/detective phase.
I have done similar setups for violations which worked as expected