Standard access role should not be listed in your custom access group. Is it correct?
Someone told me that you never should include standard access role to your application's access group (I am only talking about end user, not developer). I understand this because, for example, once you include PegaRULES:WorkMgr4 or PegaRULES:User4, they have "5" for Work- class. That means even if you restrict the access to MyCo-MyApp-Work-PurchaseRequest class in your custom access role, that will not take an effect.
Now, I am also feeling like some of access roles should be included like PegaAPI or SecurityAdministrator otherwise some of functionalities wouldn't work. Are these supposed to be considered as exception?