D+ rules for groups & efficiency

When CIS is perusing the D+ rules for resource access rights and it encounters a group, does he check the permissions for the group prior to he examining if the image exists in the group, or does he look for a match of the image in the group and then look for a match for rights for any arbitrary resource access?

Also, when he’s perusing the D+ rules list, does he scan through all the detritus ensonced within any arbitrary image’s rules on his way looking for an image name rule? Or are the D+ rules held in memory akin to a linked list and jumps from node to node, i.e., each node being image path or gruup name.

For example, SVCHost has like 1 billiion rules associated with it. Say he’s looking for browser resource access rights and he reads through the D+ rules and encounters SVCHost, does he scann through ALL of the 1 billion associated rules on his way to the next image rule? Or just bypasses all that in one clock tick and hits the next image rule?

Reason being for the qwexion: I’ve discovered there are multiple occurances of very lengthy resource access pathnames, e.g., registry keys. I’ve eliminated those redundancies and created a group contining the images needing those specific accesses and hacked out the associated redundancies from the various image name rulesets. Now those very lengthy resource access pathnames only exist once in Computer Security Policy D+ policies