Note that if you are using the confd_cli tool logging in to the CLI your group id is different (unless you used the --group flag), so that the NACM rules will not trigger as expected.
Try logging in using the confd_cli --group (or -g) flag, NETCONF or SSH when you test your nacm rule. For example:
$ confd_cli -u my-username -g my-group
or
$ ssh -l my-username 127.0.0.1 -p 2024
Demo of difference between confd_cli with and w/o -g flag and SSH:
$ confd_cli -u oper
# id
user = oper(501), gid=20, groups=oper,staff,access_bpf,everyone,localaccounts,_appserverusr,admin,_appserveradm,_lpadmin,_appstore,_lpoperator,_developer,com.apple.access_screensharing,com.apple.access_ssh, gids=12,20,33,61,79,80,81,98,100,204,398,399,503
# exit
$ ssh -l oper 127.0.0.1 -p 2024
oper@127.0.0.1's password:
# id
user = oper(9000), gid=20, groups=oper, gids=
# exit
$ confd_cli -u oper -g oper
# id
user = oper(501), gid=20, groups=oper, gids=12,20,33,61,79,80,81,98,100,204,398,399,503
#