Chapter 3 Authentication for FortiOS 5.0 : Configuring authenticated access : Authentication in security policies : Identity-based policy : Identity-based sub-policies
  
Identity-based sub-policies
Once IBP is enabled in a policy, a table appears. Selecting Add allows you to configure authentication rules which are added to this table as sub-policies.
Just as with regular security policies, with these identity-based sub-policies traffic is matched from the top of the list of sub-policies down until the criteria is met. If there is no matching policy packets are dropped, even if they have been authenticated. Each sub-policy has its own UTM profile fields, traffic shaping, logging, and so on that take effect when the User Group, Service and Schedule are matched.
The order of these sub-policies is just as important as with regular security policies. For example if a user is a member of two groups, and each group has a separate sub-policy entry, the top one in the list will be matched first.