Mohamed,
My experience is with an older 6.x version; not sure if newer cas management has made any changes to authz.
accessStrategy is a cas side feature; cas management has its own authorization requirements. That is, cas can use accessStrategy to block login to an application, but it cannot override an application's built in authorization.
I have a users.json file but it is empty (cas management needs the file for startup, but can authz with login attribute - mgmt.authz-attributes[0] = ...).
I recall looking at the code for cas management 6.x, and it only checked for ROLE_ADMIN as the attribute value.
Ray