In the console log I can see message ESFEM1030I with 3 different types of messages:
 
AUTH allowed by rule
AUTH deny by rule
AUTH Satisfied by rule

YOURRGN ESFEM1030I ESM1: MLDAP ESM: someuser AUTH request for "SOME RESOURCE" allowed by rule "SOMERULE.**"                                                                                                      

YOURRGN ESFEM1030I ESM1: MLDAP ESM: someuser AUTH request for "SOME RESOURCE" denied by rule "SOMERULE.**"                                                                                                      

YOURRGN ESFEM1030I ESM1: MLDAP ESM: someuser AUTH request for "SOME RESOURCE" satisfied by rule "SOMERULE.**"      

Satisfied by rule does not mean allowed by rule nor does it mean denied by rule, it means the rule was used to satisfy the request.

ESF is not for auditing as it is only the link between the requestor and the LDAP security resource manager, it cannot control how the request is presented nor can it control how the LDAP security resource manager response to the request.

"Satisfied by rule" is a response from a query that asked security level for that resource, it does not mean allowed or denied that is determined by the requester as to how they wanted to use the information. Some program can request the level so they can see what buttons should appear on the screen. IE ADD, APPLY or DELETE buttons. A user may have some access to a resource so they would only get the buttons that applies. This is used so that 4 or 5 requests are not made for the same resource one for each type of function. 

ESFEM1030I message is for giving information on how the security manager is processing a request when rule tracing is turned on.

Different types of request can get different types of responses from the LDAP security manager, so this massage is showing what the LDAP security manager.