The ability to set user group permissions explicitly, such as deny all except <company> or allow all except <company>. Right now if we want to grant a user access to a specific set of companies, then create a new company we have to then go in a manually deny it across groups, and we can't manage group permissions via API so there's no automated way to handle this.