APM Deny ACL Blocking Portal Access Resources

I hoping this is an easy one.. I have added a deny all ACL to an access policy, ensuring that it is last in the ACL order. However it is blocking portal access resources - with configured resource items.

 

My understanding is that providing the user defined deny ACL is processed after the ACEs that make up the portal access resources, then access to these resources should be permitted.

 

Am I missing something??

 

Thanks MP