I get it.
My authenticate user behavior was being too restrictive.
I simply authenticate the user with the user name and password.
I am already storing the accountid and userlevel as session variables and using the userlevel session variable in the access rules.
perfect.