ACLs on Table (cmdb_ci) for ITIL Role

I need some help on ACLs for the CMDB.

Currently, the three OOB ACLs (create, write, and delete) have required roles set for asset and itil.

We would like to do the following for CIs by using ACLs

1. Remove create and delete for users with the ITIL role ... only allow for Asset role
2. Only allow write for users with the asset role or only for the members of the 'Managed By' group that is set on the CI
   • asset role can modify all CIs
   • members of Managed_By group can only modify the CIs where their group is set on a CI

Steps done for the create and delete ACLs:

• the current OOB ACL
  • made a copy
  • deactivated the ACL
• the new ACL
  • removed the itil role

Steps done for the write ACL:

• the current OOB ACL
  • made a copy
  • deactivated the ACL
• the new ACL
  • added a condition that looks for the managed_by group on the CI ... see script condition attachment

Issue:

• When I impersonate a user (Jay) who is not part of the Managed By group (Infra SAS) on a CI (sdapp1) and try to write to it (added the text 'testing acl' to the description field) - it allows him to update the CI ... see ci settings attachment

Why can the user update the CI when he is NOT part of the group set in the Managed By field on the configuration item?

Any help or guidance on this would be greatly appreciated.

thank you

TheKatherine