Security should be checked for each project role. This guarantees that roles have access to the data that they require. When enabled from the start of the project this leads to strict access rules that give users access to the minimum set of data needed to pass the security check.
For convenience, it is possible to configure this rule to only violate once a project role has more than N module roles. In exceptional cases some project roles, for example, a ‘Debug’ role or a web service role can be excluded from this check by whitelisting the violation.
Noncompliant example:
Compliant example: