We have created 2 roles below delegated administrators to facilitate them to do their work.
The assumption was that "exceptions only" would also provide read only access to policies and filters.
This is not the case.
To provide a good functionality to administrators that don't require "full policy" we request a role be created that is providing "exceptions only" + "read only" (to be able to maintain whitelist and blacklists and ALSO to check policy and view filters and polices without the ability to change them)
The role "exceptions only" is useless since "check policy" is unavailable and the support personel with this role cant troubleshoot properly before being able to conclude a specific url should be added to a particular white or blacklist.