Alas I cannot remove the first rule because that would break authz for all the other users in that group that do not have per-building permissions. The rules were, at some point, additive: first the GroupName rule would apply, then if there was another rule specific to the UserName it would also be applied. They were AND’d together. Somehow that has stopped working.
Instead I just finished switching over to tag-based RLS and that is working much better, and has the added benefit of allowing us to avoid needing to sync all our group/user permissions ahead of time. So it’s a net win for us.