Layer-7 URL ACL is not working properly in APM

hi all,

i would like to publish some web application for outside users via portal access on APM webtop with a restricted url directory access, I have tried and configured APM in the following way but its not working properly,

Suppose my uri is

Under the Portal access config. Link type : Applicaion URI Application URI : https://example.com/cms/admin/reports

Under the resources tab hostname: example.com Path : /cms/admin/reports/*

then i created an Laeyer 7 ACL with following value in order to restrict the other directory access for the admin users. Hostname: example.com Path : /cms/* Action : Reject.

After that I am able to successfully logged in and able to access the application, But if a user is trying to access he is also able to get that directory also. Basically all the users have the access to all the url directories. My final goal is if an admin user is logged in, he should be able to access only the admin/reports/* directory. and if an HR is logged in he should be able to access only cms/hr/reports/* directory

Is any one can help me to solve this issue, that would be highly appreciated.