diff --git a/src/authorizeRequest/authorizeRequest.js b/src/authorizeRequest/authorizeRequest.js
index fd919b7..9ec9c6f 100644
--- a/src/authorizeRequest/authorizeRequest.js
+++ b/src/authorizeRequest/authorizeRequest.js
@@ -32,11 +32,13 @@ async function authorizeRequest(userRequest, siteRule) {
   const pathSegments = url.split('/');
 
   const indexOfRestricted = pathSegments.indexOf('__restricted');
-  let groupName = pathSegments[indexOfRestricted + 1];
+  // If there is no __restricted segment, set the group name to null.
+  let groupName = indexOfRestricted !== -1 ? pathSegments[indexOfRestricted + 1] : null;
   let isRootSite = indexOfRestricted ? indexOfRestricted < 5 : false;
 
   // If there is a whole-site protection rule, the group name will be the value of the rule.
-  if (siteRule) {
+  // Unless there is a group name in the url, individual protections take precedence.
+  if (siteRule && !groupName) {
     groupName = Object.values(siteRule)[0];
     // If there's nothing after the domain, then this is a root site.
     isRootSite = Object.keys(siteRule)[0] === domain;
diff --git a/src/authorizeRequest/authorizeRequest.test.js b/src/authorizeRequest/authorizeRequest.test.js
index 4e1e077..850d3dd 100644
--- a/src/authorizeRequest/authorizeRequest.test.js
+++ b/src/authorizeRequest/authorizeRequest.test.js
@@ -14,7 +14,7 @@ ddbMock.on(GetCommand, {
 }).resolves({
   Item: {
     rules: JSON.stringify({
-      users: ['user1', 'user2', 'test', 'test2'],
+      users: ['user1', 'user2', 'test', 'test2', 'some_user'],
       states: ['faculty', 'staff'],
       entitlements: ['https://iam.bu.edu/reg/college/com'],
       ranges: ['crc'],
@@ -147,4 +147,21 @@ describe('authorizeRequest', () => {
     const result = await authorizeRequest(userRequest, siteRule);
     expect(result).toBe(false);
   });
+
+  it('should return true if the user is granted access by groupName even if denied by siteRule', async () => {
+    const userRequest = {
+      url: 'https://example-access-point.s3-object-lambda.us-east-1.amazonaws.com/somesite/files/__restricted/somegroup/image.jpg',
+      headers: {
+        Eppn: 'some_user@bu.edu', // This user should have access to 'somegroup' but not 'othergroup'.
+        'X-Real-Ip': '127.0.0.1',
+        'X-Forwarded-Host': 'example.host.bu.edu, example.host.bu.edu',
+      },
+    };
+    const siteRule = {
+      'example.host.bu.edu/somesite': 'othergroup',
+    };
+
+    const result = await authorizeRequest(userRequest, siteRule);
+    expect(result).toBe(true);
+  });
 });