The current security model requires a user to be added to every lower level key that they need access to.
For example
Wave + Process Area
Wave + Process Area + Object
Wave + Process Area + Object + Target
Wave + Process Area + Object + Target + Source
There should be an option to indicate that a user, or role has access to ALL items below a particular level. If a key is added for Wave + Process Area, ONLY, then that user should have access to all Objects/Targets, and Sources.
In addition, there should be either INCLUSION, or Exclusion capability by Process Area, Object, Target, or Source only. If I wish to Exclude a role from HCM process Area, for instance, that should be easy to do.
This originated with this support request: How do I set up security for a user to have ALL Process Areas/Objects/Targets/Sources within a single Wave?