Did you read the fortimail admin setup guide? A access-policy is not required for a "must have". You need to understand the difference of a access-control policy and rcpt-policy and how to best use them.
Access Control Policy are best used for ;
ipv4 address like to block a unique address like a spammer or the chinese guy that fails SMTP-AUTH 1000000 per-day that's pissing you off, to set tls policy per-addresss or domain ( recipient domain i.e I use TLS 1.1 for mail to *@gmail.com etc.....)
Recipient policy are just that; " recipient based" and AS/AV/Content profiles do I apply.
I would use the Quick Start Wizzard and build a based FML cfg and then modify and controlled it from that based cfg IMHO