Hey @jcmings - 

I think using COE Security Policy is the way to go. I think in the long run, even though you would need to create policies for multiple COEs based on different services and/ or Groups. I think it will be much easy to control and maintain over a period of time. That way, as groups change with who joins them, the security is added to them right away. Using the criteria, like you mentioned, it does not look at the user properly.

At least with the COE Security Policy, it looks at the table as a whole along with your conditions. I would use COE Security Policies between the two options.

And once you get into deselecting the Applies to all HR Services, allowing yourself to select which service, and adding the group(s) to that policy (and adding in a condition if needed), I just think that would be far better and easier to work with overall.

Hope this helps in your decision making!

Cheers,

-Rob