Has anyone utilized the confidential records feature in GRC and apply it on sn_risk_advanced_risk_assessment_instance table?  

sn_compliance_policy_exception is already configured in confidential records out of the box and it's working fine. However as we have configured the risk assessment for policy exception (take a risk assessment rather than select the rating directly). Users who can't see the exception can still see the associated risk assessment (if they search hard). It doesn't make sense. 

How do we ensure only selected users can see both policy exceptions and associated risk assessment?