diff --git a/acl/acl.go b/acl/acl.go
index 25f111152..f5a76ea03 100644
--- a/acl/acl.go
+++ b/acl/acl.go
@@ -205,9 +205,7 @@ func (a *ACL) matchingCapabilitySet(ns string) (capabilitySet, bool) {
 	}
 
 	// We didn't find a concrete match, so lets try and evaluate globs.
-	cs, ok := a.findClosestMatchingGlob(ns)
-
-	return cs, ok
+	return a.findClosestMatchingGlob(ns)
 }
 
 type matchingGlob struct {
@@ -251,10 +249,9 @@ func (a *ACL) findAllMatchingWildcards(ns string) []matchingGlob {
 
 		isMatch := glob.Glob(k, ns)
 		if isMatch {
-			globLen := len(strings.Replace(k, glob.GLOB, "", -1))
 			pair := matchingGlob{
 				ns:            k,
-				difference:    nsLen - globLen,
+				difference:    nsLen - len(k) + strings.Count(k, glob.GLOB),
 				capabilitySet: v,
 			}
 			matches = append(matches, pair)
diff --git a/acl/acl_test.go b/acl/acl_test.go
index e1cad58ae..523208233 100644
--- a/acl/acl_test.go
+++ b/acl/acl_test.go
@@ -288,7 +288,12 @@ func TestWildcardNamespaceMatching(t *testing.T) {
 		},
 		{ // The closest character match wins
 			Policy: `namespace "*-api-services" { policy = "deny" }
-			         namespace "prod-api-*" { policy = "write" }`, // 5 vs 8 chars
+			         namespace "prod-api-*" { policy = "write" }`, // 4 vs 8 chars
+			Allow: false,
+		},
+		{
+			Policy: `namespace "prod-api-*" { policy = "write" }
+               namespace "*-api-services" { policy = "deny" }`, // 4 vs 8 chars
 			Allow: false,
 		},
 	}
@@ -371,6 +376,21 @@ func TestACL_matchingCapabilitySet_difference(t *testing.T) {
 			NS:         "production-admin-api",
 			Difference: 9,
 		},
+		{
+			Policy:     `namespace "production-**" { policy = "write" }`,
+			NS:         "production-admin-api",
+			Difference: 9,
+		},
+		{
+			Policy:     `namespace "*" { policy = "write" }`,
+			NS:         "production-admin-api",
+			Difference: 20,
+		},
+		{
+			Policy:     `namespace "*admin*" { policy = "write" }`,
+			NS:         "production-admin-api",
+			Difference: 15,
+		},
 	}
 
 	for _, tc := range tests {