Correct combined access policy logic

[chrisb2244]

The documentation here describes combining access policies to avoid logic errors, but the intent described doesn't appear to match what was coded in the example.

The or element provides the same behaviour as the pair of separate policies, and inverting the grade_level check doesn't appear to be required based on the described intent.