The safest way to set-up your scheme is to err on the side of denial, i.e. prohibit access until it becomes obvious that a user or group needs it. The easiest way to do this is to initially set-up your group names with no access at all. Then as legitimate users are denied access to something, you as their supervisor, go to the same form and give them access by pressing F9 and making the appropriate selections.