Separate policies between users

Good day.
Can you please tell me how to properly separate policies between users?

Now I have it set up like this:
There is an OU to which the LDAP resolver is configured. It contains users (1) who are allowed access to VPN around the clock.

Now there is a need to give other users (2) access, which is limited in time.
I found a description of time limits in the help.
If I understand correctly, I need to create copies of the current policies using the valid time field for these users.
I can create a new LDAP resolver for users (2) that will look at another OU and use it in the set of copies of the rules in the user-realm field.

But how will the request be processed if the user is in two groups at the same time? For example, by mistake, the operator will add it to both groups.
Or am I thinking in the wrong direction?
Thank you in advance.