It seems that read and all the other security access features are fine but providing a None access to particular folders and applications so they are not even accessible by a particular user would be great as well as a set of group permissions.