In some Enterprise scenarios we use "purely object" access groups.
Users obtain permissions via group membership in two different ways 1) access to functionality (e.g. DE, DBC, Admin) 2) access to objects
Often these functional and objects permissions are combined (i.e. a group is defined, say "Engineers", with particular functional permissions given and later the same group is used to define reports or data configurations access permissions).
It would be nice to provide a group permission type "purely objects access permission" (with visual distinction (a different icon, i.e.g black and white user heads in it) and if such group is created it does not list functional permissions, only allows adding SE (or AD) users.
This is to help users later when they are selecting access permisisons to pick only the "pure object access" groups from this separate type of access permissions group.
In practice this has proven to work quite well the permisisons scenarios have been defined when each user must be in at least two groups a) functional access (e.g. Admins, Developers, Data Enterers) and b) object scope (e.g. GxP reports, Site X) . The only slight problem with this is for user administrators and object creators to remember which groups are defined for "pure object access" , it would help if those were with different icon and some enforcement of not mixing funcional permisisons in them. We manage this via SOP and trainign/procedure but system supporting this way of working would help and make Enterprise even more user friendly.