I can create a security group just fine with PowerNSX, but the syntax for creating a dynamic rule using 3 security tags while changing the logic from "Any" to "All" is what I need.
Firstly you should be using "Security Tag" and "Equals To". The recommended method to achieve what you want is to use Entity Belongs To. If you've already configured them, see the following attachment for a method to remediate the configuration.
Now to configure your security group using PowerNSX, try the following:
$tag1 = Get-NsxSecurityTag -name HUB-CLIENT
$tag2 = Get-NsxSecurityTag -name ST-ENV-PROD
$tag3 = Get-NsxSecurityTag -name ROL-ORACLEDB
$Entity1 = New-NsxDynamicCriteriaSpec -Entity $tag3
$Entity2 = New-NsxDynamicCriteriaSpec -Entity $tag2
$Entity3 = New-NsxDynamicCriteriaSpec -Entity $tag1
Get-NsxSecurityGroup -name foo | Add-NsxDynamicMemberSet -SetOperator OR -CriteriaOperator AND -DynamicCriteriaSpec $Entity1,$Entity2,$Entity3