We have a model with lets say 10 explores.

There is a lot of content built on all these explores already.

There is a new group of contractors who should see some but not all 10 of these explores.

I have a few different options to remedy this situation however they come with cons.

• Move the restricted explores out of this model file and permission via model access.
  • downside: I got to run content validator and update all content built on these moving explores…..content validator does not perform v well on our instance as the amount of content we have and am nervous about using it in bulk as it sometimes crashes midway.
• Apply an access grant to these explores which would include all but the contractors.
  • downside: I got to set every person in my company with a user attribute apart from these contractors (I can do this via group attributes etc but it seems silly to have to action this for the 99% when its the 1% I want to exclude - what I really want here is exclude access grant to user attribute and set it for the 1%.)
• Set a user attribute just for the contractors and implement a nasty sql always where which equates to 1=2 for the contractors and 1=1 for everyone else (means I only set user attribute for the contractors and not everyone else).
  • downside: this is dirty and the explore is still visible but wont return data.

I was hoping for a way to have the opposite of an access grant or reverse/exclude the condition.

Anyone any thoughts?