OK so I'm just trying to verify that I have this all configured right...in one of our local policies I have 2 account units showing up:

The '-g' group is created in the global policy so I can create access roles that can be used globally. I have created 2 access groups:

One with the '-g' is created in the global policy and is added to the local policy when global is reassigned. The one without the '-g' was just created locally. I created 2 rules, granting ICMP access to different servers. If I try to ping either of the servers it doesn't hit on either of the rules...global nor local.
If I check pdp monitor user for my account it only shows that I'm in the 'All Users' group. Do I need to create an Access Group first and then an access role? I had this working locally and then the pdp service stopped responding and I had to reconfigure it on the gateway.
When you mentioned the User Directory on the Gateway object I can only use the 'Any' option or use the local Account Unit. If I try to use the global one it just errors out and says that the global object can't be modified. Should I leave it at any or should I select the local Account Unit?