1. After I deleted all sessions in my tmp directory, the script worked as it should, using code like
allow if treasurer = <?php echo $_SESSION['level']; ?>
2. Groups - the secret it seems is to set up groups of groups like one, two, three, oneandtwo, notoneandtwo.
oneandtwo has groups one and two in it
notoneandtwo has all the groups that are not in group oneandtwo i.e. in this example, group three
Then you set up a rule that says:
Allow if <?php echo $_SESSION['level']; ?> is in oneandtwo -allows groups one and two
restrict <?php echo $_SESSION['level']; ?> is in notoneandtwo. - restricts group three
Set up a hidden region on the part of the page that you wish to hide and apply both the rules above to it.
That should hide the area to group three.
In this case you could also just say restrict if session variable is in three, but its better to have the inverse as well, in case you add some more groups that could complicate the logic.
If there was a criteria "not in group", you would save some code but there isn't.
Took a long time but I got there in the end.