Per the release notes:
If the configuration specifies both a global access policy and interface-specific access policies, the interface-specific policies are evaluated before the global policy.
How does this work with the implicit deny rules on an interface? I'm assuming that it evalutes all the user-defined access rules on the interface, but doesn't run it through the implicit deny all on the interface, then runs it through the global policy. If nothing matches in the global scope, then an implicit deny is matched at the end of the global policy - is this correct?