Failed to reach implicit threshold of 1 sub-policies, required 1 remaining: permission denied

try using different names for ChannelID in command (here ChannelID value is byfn-sys-channel and it's so called "system channel"):

../bin/configtxgen -profile TwoOrgsOrdererGenesis -channelID byfn-sys-channel -outputBlock ./channel-artifacts/genesis.block

and all the rest commands with ChannelID (here is DIFFERENT channel with ChannelID mychannel):

export CHANNEL_NAME=mychannel  && ../bin/configtxgen -profile TwoOrgsChannel -outputCreateChannelTx ./channel-artifacts/channel.tx -channelID $CHANNEL_NAME

...

export CHANNEL_NAME=mychannel
peer channel create -o orderer.example.com:7050 -c $CHANNEL_NAME -f ./channel-artifacts/channel.tx --tls --cafile /opt/gopath/src/github.com/hyperledger/fabric/peer/crypto/ordererOrganizations/example.com/orderers/orderer.example.com/msp/tlscacerts/tlsca.example.com-cert.pem

I've got the same error.

Error: got unexpected status: FORBIDDEN -- implicit policy evaluation failed - 0 sub-policies were satisfied, but this policy requires 1 of the 'Writers' sub-policies to be satisfied: permission denied

After removing everything in docker using this command, the error is sovled.

docker stop $(docker ps -a -q)  ; docker rm -f $(docker ps -aq) ; docker system prune -a ; docker volume prune ; docker ps -a ; docker images -a ; docker volume ls

Especially the 'docker volume prune' command is important.

In your ./byfn.sh script in genesis block creation you have written this command

echo "##########################################################"
echo "#########  Generating Orderer Genesis block ##############"
echo "##########################################################"

configtxgen -profile TwoOrgsOrdererGenesis -outputBlock ./channel-artifacts/genesis.block -channelID $CHANNEL_NAME

remove -channelID $CHANNEL_NAME from it and ignore this warning

2019-02-24 23:34:25.334 IST [common/tools/configtxgen] main -> WARN 001 Omitting the channel ID for configtxgen for output operations is deprecated.  Explicitly passing the channel ID will be required in the future, defaulting to 'testchainid'

It should work now. It did on my system.