Critical Description
There isn't a permission that exists today that allows a user to only attest/clear attestation on a group. Either the user does not see any of the attestation elements(Reader,Viewer), or can configure/disable/edit attestation(updaters, admins). If the attestation is inherited, a local configuration can be made to supersede the inherited configuration, which may be unintended or undesired in use cases.
The proposed solution would be to allow updaters the ability to attest and clear the attestation of the group as well as view the other settings, but not be able to create or modify them. Group admins will retain their existing abilities and be able to configure/edit/and attest groups. This delineation will allow deployers to implement and enforce an attestation policy on groups by direct or inherited configuration that end users cannot modify.
