Basically these are the two type of rules - system and user based:
System based can use either tag or a System Tree location/group while user based apply either to specific tag applied, tree location or the user who is currently logged on a machine in System Tree. Assignment rule takes precedence over ordinary applied policies to a machine or a group.
If you need to force a specific user to use token or password, you just create such UBP and in the criteria point that user/group/membership:
User based criterias
In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks! Nino