my point is that the access rules you created use a session variable named "userLevel"
no session variable named userLevel is created when the user logs in.
perhaps it would help if you viewed the "User Level Authentication" tutorial in the solution recipe section of the security assist support page:
securityassist/