Yes, that seems to give full access so that may work with the controllers but does not seem to work on my IAP's.
That policy also seems to have a Privledge level of 15. Maybe someone changed it from the default but that is what our system has. I tried making that 0 but I seemed to get the same result.