If I understood the permission related helpers in app/registries/plugin.rb we have a couple options:

1) add_permissions_to_default_roles - Here I'd need to list ALL the permissions except the one I don't want included. Also one needs to separate the different permissions for viewer/manager by hand. Apart from it being ugly, I couldn't manage to get it working at all. All attempts failed with

foreman/app/models/role.rb:336:in `permission_records': ERF73-0602 [Foreman::PermissionMissingException]: »some permissions were not found: []« (Foreman::PermissionMissingException)

2) add_resource_permissions_to_default_roles - Here I'd need to list all the resources and according to the comment above the method I should be able to pass an array of permissions to be excluded. Sounds good, doesn't work. Interestingly enough, all attempts failed with the same error as option 1.

Here I propose to add a keyword argument "except" to add_all_permissions_to_default_roles, which would prevent listed permissions from being added to the default roles. It is more inline with the idea of "add all permissions except for the selected few" rather than "to exclude this permission, I need to explicitly state all that should be included"