Policy not applied

I thought I had a simple use case for this module but it won't work, don't understand why. Using latest D11.

Use case:

Allow users with role Department Editor AND a given taxonomy term, e.g. "Finance" to edit a page assigned the term "Finance".

I created the Department taxonomy and the field on both the Content type and the User (role Department editor), and assigned the Finance term to both.

In the Node permissions, the Department editor does NOT have the edit permission.

I created the access policy "Department Access", and set it to only handle the view unpublished and Edit operations.

I added the rule Compare Department with User, set to Is One of (Department) with an empty policy of Ignore.

For manage selection I have Department (not empty).

The policy applies using the selection rule, because when the node has the Finance term selected, The admin user can see status of Access: Department.

However, the user with the Department editor role and the Finance term views the content list of the node, there is no edit access granted.

My exported config for the Department editor role shows in permissions - 'edit department_access content'

Here is the config for the access policy:

uuid: b454da7c-dc5c-4f8c-8672-c75fee485491
langcode: en
status: true
dependencies: {  }
id: department_access
label: 'Department access'
description: null
weight: 0
access_rules:
  match_field_department:
    id: match_field_department
    group: node
    plugin_id: entity_field_entity_reference
    field: field_department
    entity_type: node
    settings:
      admin_label: ''
      query: true
      value:
        field: field_department
      operator: in
      empty_behavior: ignore
    required: false
access_rule_operator: OR
query: true
target_entity_type_id: node
operations:
  view_unpublished:
    permission: true
    access_rules: true
    show_column: true
  edit:
    permission: true
    access_rules: true
    show_column: true
  view:
    permission: false
    access_rules: false
    show_column: false
  view_all_revisions:
    permission: false
    access_rules: false
    show_column: false
  delete:
    permission: false
    access_rules: false
    show_column: false
  manage_access:
    permission: true
    access_rules: false
    show_column: false
type: group
http_403_response: {  }
selection_rules:
  field_department_1:
    id: field_department_1
    group: node
    plugin_id: entity_reference
    field: field_department
    entity_type: node
    settings:
      id: field_department_1
      operator: 'not empty'
      value: {  }
      field_access:
        type: permission
        permission: 'assign department_access access policy'
      admin_label: ''
    required: false
selection_rule_operator: OR
selection_set: {  }

Any ideas, or where in code can I begin to debug the permission grant?