Beaker should allow defining a groups members as everyone except a specific blacklist of users. Essentially the inverse of how a group is normally defined. This RFE is aiming to solve the same issue as bug 1170741 (giving access to a system to everyone except certain users) but the implementation should be somewhat simpler and have less impact on the scheduler, because group membership lookups only happen once whereas access policy rules have to be evaluated across N systems in every scheduler pass.
The main complexity here will be in the UI. This is made worse by the fact that the group page is still an ugly mess of old TG widgets. If we can port to Backbone first that might makes things easier.
Since we have ported the group page to Backbone.js(https://bugzilla.redhat.com/show_bug.cgi?id=1251356), then we can start implement this.
Matt's patches for this feature are now merged. They were: http://gerrit.beaker-project.org/4324 add support for inverted groups http://gerrit.beaker-project.org/4517 HTTP API for inverted group page http://gerrit.beaker-project.org/4519 inverted group page
Beaker 22.0 has been released.