Thanks that helps! I will abandon the host sets then. My target hosts are not the same in the sense that it is irrelevant which host is chosen. So I will create a target for each host and then group them permissionwise by creating roles which explicitly list the targets in their grants. I can then use the roles to allow users and groups to access the host by assigning them to the appropriate roles.