Hi :)

Giving a user a project view deny may not work as you expect. The user cannot see that project but can see the resources in it via urls. I know it sounds weird but this is what happened when I applied project deny.

As for your question, no you don't have to include them all. You can just deny the viewer role.