>That finds the rules for a user with both group and individual rules fine, but it finds too many rules for a user NOT in a group, since their cgroupid is 'ZZZZZZ'.
If I've got this correct.......
A user who does not belong to a group has a group id of ZZZZZZ
Rules which pertain only to individuals have a group id of ZZZZZZ
so you can't match on the user's groupid because it finds the rules that don't belong to a group.
Is it possible to change the "no group" group id in either table so that you don't get this match? Otherwise, you can add a
AND cgroupid <> "ZZZZZZ"
to the part of the query joining the group records