add template for policy group

this can be the next generation "include/exclude" and "require group".  Will prompt for name, display name, description, and a "require group".  If you enter "wikiUser" as the group name, then it will prompt for:

• Create group: whateverFolder:wikiUser?     (default checked)
  • Create group: whateverFolder:wikiUser_allow? (default checked)
    • Create group: whateverFolder:wikiUser_allow_adhoc?
  • Create group: whateverFolder:wikiUser_deny? (default checked)

• • • Add: ref:someRedButtonGroup as member of whateverFolder:wikiUser_deny? (default checked)
      [note, only displayed if configured in config file]
    • Create group: whateverFolder:wikiUser_deny_adhoc?
  • Create group: whateverFolder:wikiUser_requireInGroup?

• • • Add: ref:someActiveGroup as member of whateverFolder:wikiUser_requireInGroup? (default checked)
      [note, only displayed if configured in config file]

So by default you get an allow and deny group to make your policy.  If you want ad hocs, you can check those checkboxes.  I dont think we need the traditional systemOfRecord group, since you would just add ref groups to the "allow" group.

The template would do the logic to make the composites etc.  The overall is a composite allow minus deny. 

If there is a require group, then there would be a _preRequireGroup helper group, which is the allow minus deny, and the overall is the intersection of the pre-require helper group, and the requireInGroup.  If there is no deny group, then that composite can be skipped.  i.e. based on the checkboxes, it will make the correct groups.

This would also work on existing groups, in that case it might:

1. Add existing group members to the "allow" group
2. Add existing non group members to the allow adhoc group (or the allow group if there is no adhoc group)
3. It could also convert from include/exclude to allow/deny.  In this case if the systemOfRecord group is a loader group, it would keep a systemOfRecord group and add to the allow group