We found the answer: the role derivation rules are shown in two different places in the GUI, which is a cardinal sin in the world of interface design. Bafflingly, the two different places have different features.
Configuration > Authentication > Server Group: this allows you to reorder the rules
Confuguration > WLANS > Access: this allows you to add and remove rules, but not reorder them.
Can we have the clustering features of 8.5 with the user interface of 6.5?