Yeah exactly like this. I like being able to approve/deny requests or "learn" from a good run and apply that policy to later runs so I can leave them unattended and know they can't access anything aside from what I approved.