I'm trying to setup a query Business Rule to restrict internal users to viewing other users according to their categorisation, as defined on a custom field on the sys_user table. The custom field on the sys_user form is called 'u_user_catgroup', and this is a choice field with 3 options:

Amber - Should see other users which have a u_user_catgroup of Amber, Green or Blue, i.e., see all users. 

Green - Should only see other users which have a u_user_catgroup of Green or Blue.

Blue - Should only see other users which have a u_user_catgroup of Blue.

Internal users should only be able to see users which correspond to the above, i.e., an internal user with a u_user_catgroup value of 'Blue' should only be able to see other users with a u_user_catgroup value of 'Blue'. A user with a a u_user_catgroup value of 'Green' should be able to see other users with a u_user_catgroup value of 'Blue' or 'Green' whilst 'Amber' users can see all categories. 

There is an existing custom Query Business Rule which limits users with no roles to only see other users from their company (which works fine, which is the 1st section before the first 'else' statement), so this additional check for logged in users with roles is being added onto that query business rule:

(function executeRule(current, previous /*null when async*/ ) {

    //Limit the visibility of users for logged in users, see advanced condition, and for users who do not have any roles
    if (!(gs.getUser().hasRoles())) { //Check that the user does not have roles
        var comp = gs.getUser().getCompanyID(); //look up the company ID from the user
        current.addQuery("company", comp); //restrict visibility of users to the company of the user performing the query
    } else {
        var userCatGroup = gs.getUser().getRecord().getValue('u_user_catgroup'); //get the value of the u_user_catgroup field from the logged in user record
        gs.log('The value of the logged in user catGroup is :' + userCatGroup);
        if (userCatGroup == 'Amber') { //If 'Amber' then allow visibility of all user record categories
            current.addQuery("u_user_catgroup", 'Amber').addOrCondition("u_user_catgroup", 'Green').addOrCondition("u_user_catgroup", 'Blue');
        } else if (userCatGroup == 'Green') { //If 'Green' then allow visibility of Blue and Green users
            current.addQuery("u_user_catgroup", 'Green').addOrCondition("u_user_catgroup", 'Blue');
        } else if (userCatGroup == 'Blue') {//If 'Blue' then allow visibility of Blue users
            current.addQuery("u_user_catgroup", 'Blue');
        }
    }
})(current, previous);

When the script hits the gs.log I get very inconsistent results...  it shows the variable 'userCatGroup' as either being 'Green' (even though my test user I'm impersonating is set to a value of Blue or Amber) or when I'm querying myself as an admin then the log message comes back empty, i.e.,