Better model here would be assign all access which is basic as part of “Basic IT Role” and rest of the roles which are incremental they do not need to reuse all criteria which is being used in “Basic IT Role” because you are only assigning incremental department specific access.
The thing I do not understand here is why you want to include users again here in Finance department role again. Incremental role should have criteria which only meets specific department users and it should only assign incremental access.
e.g. company has “Basic IT Role” which assigns Access BR1, BR2, BR3(BR: Birth Right) to 10K users(nearly most of the users from organization) based on criteria (LCS : active and employeeType=Employee).
This role should ideally provision all general access which is Basic for IT role.
If you want to give anything specific to Finance department, you only need to create new role with that specific access instead of giving BR1, BR2,BR3 again and this role needs to only meet criteria for those specific users because those users would already have BR access.
Hope this model makes sense.