Let me clarify things a bit. I have two services, one for devices connected to wired switches and one for devices connected wired to 303H access points. They are both 802.1X wired services. Devices connected to switches get a different enforcement policy than those connected to 303H access points. The access points tunnel back to the controllers and roles and ACLs are applied at the controller. On the otherhand, switches will use an enforcement policy that will apply downloadble user roles and ACLs that will apply at the switch or at the controller depending on whether or not the user device is in a role that is tunnelled back to the controller or not. The enforcement policy applied should be determined by whether or not the user device is connected to a switch or a 303H.
For switches, the service can look at device group membership to determine if a service should be applied. I'd like to be able to do something similar for the 303H service and restrict the service to 303Hs. Right now, if the 303H wired service is before the switch wired service, it is applied even if the device is connected to a switch. I think service ordering could take care of this by putting the switch service before the 303H service, but I'd rather have more control over it than that as if I forget and change the order in the future, it could break things.