Rule Set Validation Best Practice with Unloacked AV Rule Set
In SSA Course Rule Set Validation topic, I have found one of the Best Practice as " Include unlocked AV rulesets in one application only. Doing so prevents AV rulesets from referring to rules that may not exist in applications that do not contain the ruleset."
Some users just perform tasks, so they get MyTaskManager. Some users just fix bugs, and they get MyBugManager. Some users do both, they get MyWorkManager.
If you do your application development in MyWorkManager, the app with all three ruleset, you will eventually make the mistake of referencing a rule in MyBug Ruleset from MyTask Ruleset or via versa. If you do this, users who are running MyTaskManager or MyBugManager will not have access to all the rules and exceptions will occur. For example, you might create a local action in MyTask Ruleset that creates a new bug and calls a rule in MyBug Ruleset. This is fine if you have MyWorkManager application, but not okay if you have either of the others.
In the case outlined above, you may be overcomplicating things needlessly by having so many rulesets. Personally, I would recommend something like:
You would then control 1) what users see and 2) what they can process using privileges.
If you do need to have a reuse ruleset, just give it its own application:
In this example, both MyClaimManager and MyTimeSheetApp are both built on MyConnect because they might use the same connectors to call common services. Using built on apps in this case will prevent developers from building rules in MyConnect from calling Claim or Time rules.
In conclusion, you should use built-on applications to facilitate rule reuse. Do not use different combinations of rulesets to prevent users from having access to rules.