Loris needs include/exclude groups (and Penn can use this too, and I assume most people will like it), this is what I am planning to do:
1. This is off by default, you enable with a boolean param in grouper.properties
2. If you enable it, a Group marker type will be created if it doesnt exist, called: grouperIncludeExclude
3. I will make sure there is a tooltip of documentation in the UI
4. If this type is applied to a group (named org123, e.g. the auto-loaded grouperLoader group), then a built-in hook will do the following, if the groups do not exist:
a. create group of org123_include
b. create group of org123_membersAndIncludes (have two members: org123, and org123_include)
c. create group of org123_exclude
d. create group of org123_overall (composite of membersAndIncludes minus org123_exclude)
5. If the type is removed, none of the created groups will be affected
6. I dont know what the permissions of all these groups will be, I assume it will be just like the current user created them
Also we need an enhancement in the loader which allows for a type to be applied to a sql list of groups...
It is possible to do this with one fewer group, but I was thinking that if the "includes" is its own group, then whoever has permissions to edit that membership, cannot remove the org123 group, they will only be able to operate on the whitelist... Then the membersAndIncludes and overall group would be able to have restricted permissions so no one messes it up...