Understanding search filters

ref: https://help.sumologic.com/Manage/Users-and-Roles/Manage-Roles/Construct-a-Search-Filter-for-a-Role

Just looking for some confirmation of my understanding of filters on roles:

Scenario: Imagine you have three roles defined, A, B, and C, all three of which have access to all sourceCategories. Assume there are two sourceCats, X and Y. A new sourceCat Z is added, and you need to limit / restrict / control access to Z.

In this scenario it seems to me, whether you use an existing role or create a new one (D), you must now add filters to all roles that should not have access to Z. For every role that should not have access to Z, you must add either:

1. a negative (!) filter explicitly denying access to Z, or
2. a positive filter limiting access to just X and / or Y.

Off the cuff it seems you could get into a real mess of filters, though I think this can be mitigated somewhat with good sourceCategory design. E.g., maybe put all sensitive logs under a common root sourceCategory.

This model looks like an artifact of putting the access control in the roles ("I am role A can / cannot access these resources"), rather than putting the access control on the collection ("only role A can access me"), and the absence of a default deny option (deny all log access by default).

Thanks,
Mark