Thank you @Sumanth V -Oracle. I may be misunderstanding, but it doesn't look like that will help. Here's what I see for the object-level security for the NetSuite - Journal dataset and is what is expected.

The problem is that the out-of-the-box NAW Licensed Viewer Role includes the NetSuite Analytics Warehouse Financials Duty permission, so anyone with that role can view workbooks using that dataset. We need a way to indicate that some users have the NetSuite Analytics Warehouse Financials Duty permission while others do not.

Thank you @Bret Grinslade - Oracle Analytics-Oracle. At first, our goal is to limit access to specific folders and workbooks within the catalog because most of the initial users will simply be viewers. As we allow users to be authors, we'll also need to control access to datasets.

I looked into this previously, but the challenge is still that every user with the NAW Licensed Viewer Role can access every folder or workbook, either by virtue of the related system role (System Administrator, Author, Consumer) or one of the underlying duty roles. Here's a specific example using the default out-of-the-box folder structure.

Shared Folders
NetSuite
→ Service Administrator = Read-Write
→ Consumer = Read-only
Detailed Dashboards
→ Service Administrator = Read-Write
→ NetSuite Financials Content Duty = Read-Only
→ NetSuite Financials Content Duty = Read-Only
→ NetSuite Financials Content Duty = Read-Only
→ NetSuite Financials Content Duty = Read-Only
Financials
→ Service Administrator = Read-Write
→ NetSuite Financials Content Duty = Read-Only
Financials [workbook]
→ Service Administrator = Read-Write
→ NetSuite Financials Content Duty = Read-only

Since the NSAW Licensed Viewer Role includes the NetSuite Financials Content Duty role, how can the permissions be changed to allow only some users access? I guess the role permission could be removed, and permissions added for specific users, but that feels like a very cumbersome way to go about it. Is there no way to create additional licensed roles, each with a different set of duty roles?

Here's how this was resolved.

First, all roles other than Consumer were removed from the NAW Licensed User group. Essentially, this changes the purpose of this role from licensing + access control to just licensing. Here's the full list of roles that were removed.

• NAW_BANKING_CONTENT_DUTY
• NAW_BANKING_DUTY
• 
  NAW_CONTENT_EXPLORER_ANALYSIS_CONTENT_DUTY
• 
  NAW_EMPLOYEE_EXPENSES_CONTENT_DUTY
• NAW_EMPLOYEE_EXPENSES_DUTY
• NAW_FINANCIALS_CONTENT_DUTY
• NAW_FINANCIALS_DUTY
• NAW_FINANCIALS_OVERVIEW_OAC_CONTENT_DUTY
• NAW_ORDER_MANAGEMENT_OVERVIEW_OAC_CONTENT_DUTY
• NAW_PROCUREMENT_OVERVIEW_OAC_CONTENT_DUTY
• NAW_PURCHASING_CONTENT_DUTY
• NAW_PURCHASING_DUTY
• NAW_SALES_CONTENT_DUTY
• NAW_SALES_DUTY
• NAW_SALES_CONTENT_DUTY
• NAW_SALES_SNAPSHOT_CONTENT_DUTY
• NAW_SALES_SNAPSHOT_DUTY
• OA4F_COMMON_DATA_ADMIN_ANALYSIS_DUTY
• OA4F_CONTENT_EXPLORER_ANALYSIS_DUTY

As an aside, it was confusing that even though the NAW Licensed Viewers, NAW Licensed Authors, and NAW Service Admin groups have a locked icon next to them with "Oracle ready to use groups cannot be modified or deleted", roles can be removed from them.

Second, new application roles were created for the various job functions (e.g. Sales, Finance, …).

Third, new groups were created for the various job functions (e.g. Sales Team, Finance Team, …) and related application roles were assigned to them. For example, Sales, NAW_SALES_DUTY, NAW_SALES_SNAPSHOT_DUTY were assigned to the Sales Team group.

Fourth, the new groups were assigned to appropriate users.

After doing this, users in both the Sales Team and NSAW Licensed Viewer groups could no longer access the NetSuite catalog folders, but could access folders we created with access permitted to the Sales Team. These users could no longer access the NetSuite catalog folders because they no longer had any of the application roles in bold above that were previously granted to them through the NetSuite Licensed Viewer group.

I hope this helps someone else in the future.