When you assign privileges to a group, all subgroups and users belonging to the group inherit the privileges.
When you assign a role to a user, the user inherits the privileges belonging to the role.
When you assign a role to a group, the group and all subgroups and users belonging to the group inherit the privileges belonging to the role. The subgroups and users do not inherit the role.
So, the ideal approach is to have a dedicated group with the users who needs to see the sensitive data, and grant them with 'View Sensitive Data' permission.
The Privileges provide at Group level for a resource will be by default inherited to the user level as well .
For example if we give Read and Write Privileges at Group level that will be inherited to all the user present in that group for that particular resource . That can be further manage at user level .
What we have is the third scenario. We create roles and assign the privileges to the role. We assign the roles to groups. We the assign the users to the groups as well.
We want our users to be able to see ALL non-sensitive data but only certain folks to see sensitive data. I do not see how we can pull this off if the privileges are at the role, group, or user level and the metadata and data read permission is required on the resource.
I do not think your approach would work because of the way we have all users set up as "general users". This general users group is our security domain which we populate through our LDAP config from an AD group. In this case we assign privileges (View Data) to the group in the Administrator. In the Catalog Administrator this group has Metadata and Data Read access to all resources. As we understand it they must have this to be able to see ANY value frequency. Without it they could not even see non-sensitive data.
Since I now have users that are both general users (through the LDAP config) and Data Owners/Data Stewards then if I give the role, group, or even the user the View Sensitive Data privilege directly they would be able to see the sensitive data on any resource.