@User was able to test your schema. The main difference is in mine, users is banned from api and in yours they are banned from application. I have this assertion in mine that fails when i ban a user from an app in your schema

// ban g1user4 in g1 from accessing api1. they can still access other api
apiresource:api1#banned@user:g1user4