Multiple AD groups for web filtering

Hello community,

I was deploying a XG Firewall in an environment and I was asked about using multiple AD groups for web filtering in the web policies/firewall rules. I saw in some threads and also in this KB that XG maps the user in a top-down approach, matching the user on the first group based on the "Member of" in AD. So, officially Sophos says its architecture doesn't allow to use multiple AD groups for web filtering.

The thing is, it actually allows. I have many XG deployed on different environments and it works. For example: I have a "Basic_Group" that doesn't allow the web category Social Networking. Then I create the "Social_Group" on the AD and create the following web policy on XG:

Social_Group ------- Social Networking ------- Allow

Anybody ------------ Social Networking ------- Deny

Users that are only on the Basic_Group will not access Social Networking. Users with Basic_Group + Social_Group will. And to make it clear, the group of that user appearing in Sophos is "Basic_Group". 

This cenario also works for VPN access, like an user with a "Basic_Group" appearing on Sophos but being a member of both Social_Group and "VPN_Access" groups being able to surf social networking at work and VPN at his home using his AD credentials.

So why Sophos says all of this is not possible but actually works? Or since when it started to work? All of this is a bug?

I would like to know if someone else has this cenario working, because it is really akward to tell to my client that this works, while Sophos says it doesn't. Seems like I'm lying.