How does #all really work?

#all is a magic word that may be used on a policy to match all of the resources of that particular type

For example, on a service policy, I can include #all as a service role to match all services, or #all as an identity role to match all identities. #all doesn’t make sense as a role attribute on a resource e.g. identity, service, or edge router; because it’s implied i.e. all resources match #all when it is used on a policy, and adding #all to a resource must not effect a grant for all policies of a particular type to that resource, correct? Therefore, adding #all to a resource’s role attributes never has any effect.

Therefore, adding #all to a resource’s role attributes never has any effect.

Correct. Adding all to a resource’s role attributes has no effect

Would you also agree that #all only makes sense on a policy when there are no other role attributes because it overrides any other possible combination of role attributes?

Yes. Currently have #all means the policy will always match all related entities. It probably shouldn’t for policies with an AllOf semantic, but the expectation is that when using #all it will be the only role listed.