diff --git a/services/web/app/src/Features/Authorization/PermissionsManager.js b/services/web/app/src/Features/Authorization/PermissionsManager.js
index a15110deef..e93c4fea41 100644
--- a/services/web/app/src/Features/Authorization/PermissionsManager.js
+++ b/services/web/app/src/Features/Authorization/PermissionsManager.js
@@ -272,8 +272,8 @@ function hasPermission(groupPolicy, capability) {
   const results = getEnforcedPolicyNames(groupPolicy).map(userPolicyName =>
     getCapabilityValueFromPolicy(userPolicyName, capability)
   )
-  // if there are no results, return the default permission
-  if (results.length === 0) {
+  // if there are no results, or none of the policies apply, return the default permission
+  if (results.length === 0 || results.every(result => result === undefined)) {
     return getDefaultPermission(capability)
   }
   // only allow the permission if all the results are true, otherwise deny it
diff --git a/services/web/test/unit/src/Authorization/PermissionsManagerTests.js b/services/web/test/unit/src/Authorization/PermissionsManagerTests.js
index 9115dd8b38..104be522f1 100644
--- a/services/web/test/unit/src/Authorization/PermissionsManagerTests.js
+++ b/services/web/test/unit/src/Authorization/PermissionsManagerTests.js
@@ -86,12 +86,22 @@ describe('PermissionsManager', function () {
         const groupPolicy = {
           policy: true,
         }
-        const capability = 'capability3'
-        const result = this.PermissionsManager.hasPermission(
-          groupPolicy,
-          capability
-        )
-        expect(result).to.be.false
+        {
+          const capability = 'capability3'
+          const result = this.PermissionsManager.hasPermission(
+            groupPolicy,
+            capability
+          )
+          expect(result).to.be.true
+        }
+        {
+          const capability = 'capability4'
+          const result = this.PermissionsManager.hasPermission(
+            groupPolicy,
+            capability
+          )
+          expect(result).to.be.false
+        }
       })
 
       it('should return the default permission if the policy is not enforced', function () {
@@ -192,12 +202,22 @@ describe('PermissionsManager', function () {
         const groupPolicy = {
           policy: true,
         }
-        const capability = 'capability3'
-        const result = this.PermissionsManager.hasPermission(
-          groupPolicy,
-          capability
-        )
-        expect(result).to.be.false
+        {
+          const capability = 'capability3'
+          const result = this.PermissionsManager.hasPermission(
+            groupPolicy,
+            capability
+          )
+          expect(result).to.be.true
+        }
+        {
+          const capability = 'capability4'
+          const result = this.PermissionsManager.hasPermission(
+            groupPolicy,
+            capability
+          )
+          expect(result).to.be.false
+        }
       })
     })
   })