TLS Certificate Auth Method permission settings

I turned on TLS Certificate Auth Method. In order to make different members have different permissions, I created two roles, added their own allowed_organizational_units attributes, and specified their own policies, so as to achieve access to different secrets.
When logging in to the role to obtain the token, the specific roleName is not specified, so that the successfully matched token is returned according to the OU in the client certificate. But now there is an exception, that is, a specific member of a certain ou group wants to have other group permissions in addition to his own group permissions.
I tried the rest of the properties of Constraints and found that it is an and relationship(if it is an or relationship,this problem is solved), so there is no way to add special values.
I also tried using groups and entities, but it feels like this is mainly designed for having multiple Auth Methods enabled.
Now, what should be done in this case?