When working with repositories and groups, we have (by default) two line items for the permissions. See below.
We include the Default permissions, which in our case are set to none. However, we also include permissions for an Employee group which is write. We do this so that our customers only can see what we explicitly give them access to see.
I think it would be useful to implement default permissions the same way you would handle permissions for a repository or group. That is, by default, I would like to be able to configure multiple users permissions that be applied to any group or repository created.
Something like I have pasted together below is what I had in mind. I think this would be very useful.