I am totally in support.
I invited a guest to my deployment and permitted them to view only one template
Later when I added a new template, the invited user, by default, could see and use that which I did not want. So I had to adjust the permissions manually.

We should definitely change our default behavior.

One annoying issue with this is that AGPL does not have the group feature, so if we make the default to exclude "everyone", then only admins can see templates on AGPL deployments.

This is where the default code lives now for "everyone" can read:

I prefer not to add more args, but we could add an arg to the create to set the initial permissions. Then we can put the default behavior on the caller, and allow the FE/cli to control things.

@sreya @bpmct met this morning and discussed this issue.

We think that in any sizeable deployment both "everyone has access" and "everyone has no access" are useless modes and the creator would immediately change permissions following create. Thus, if a deployment has template RBAC enabled we should prompt them to configure permissions in the create flow.

@ammario just to confirm,

configure the permissions in the create flow

The create flow being the create template flow correct?

Yeah that was the idea. Not sure how it should look visually.

I'll consult with @BrunoQuaresma on looks 👍

So, what we want is to have a "Permissions" section in the create flow where the user can add users or groups. Is that correct?

@BrunoQuaresma Yes, or we just have a checkbox for the "allow everyone", and say a message like, "if you create this without everyone access, no one can use it until you edit the permissions on the template page".

But ideally some way to add groups/users on this page probably 🤔

I like the one you suggested most, it is easier and should solve the issue. We can get the one I mentioned if users ask for that.

@BrunoQuaresma I will make the backend api change to add a boolean field that disables usage by the "everyone group".

If we need to expand this later, we can add fields for adding specific users/groups

For the FE, if you want to do, you can just copy and paste the checkbox section we already have on that page and update the copy. Let me know if you need any help from me.

I'll do that!