Hi Mitch,
first of all I'd say a change from first match to match all is a "dangerous action", if not knowing super precisely how the policy is designed/working.
Before your change each request was assigned only one role. Now it may be assigned more than one role. Since a line in enforcement policy is selected by assigned roles, this can have huge impact.
E.g. some user/device before may have been assigned the role "FGA Domain Access" only. Now, the same request may be assigned the two roles "FGA Domain Access" and "FGA Domain User Role". E.g. if device name is not "Windows XP".
Before, if none of the enforcement rules matched for role "FGA Domain Access", the request was denied.
Now, since that request also has role "FGA Domain User Role", suddenly line 7 of your enforcement policy will be evaluated. The request which was denied with "first match" setting will now be allowed, just because you changed to "match all".
You should check access tracker and compare the logins befor and after your change. You should see, which roles were assigned additionaly and which enformcement profiles were send to NAS based on these roles.
If my assumptions were right, afterwards you either can rework conditions in your role mapping, so that only one of the "FGA" roles will be assigned or change conditions in your enforcement policy so that having more than one of the "FGA" roles doesn't have negative impact. I prefere the latter.
Regards, Jö