Ability to create a session group that is hidden to all role groups by default.

I gave an example above that was pretty clear but I will try to give another example. Your system is set up so that a new session group shows up for all roles. If I set up a 'Support' role and a 'Systems Admin' role and I create a session group for only the systems that the Systems Admin should see I have to go into all existing roles and any new roles and uncheck the ability to see that session group. This might not be an issue for one or two roles but if you have many session groups and many roles this becomes a large process each time you add a new role or session group.

It makes a lot more sense, in my opinion, to have session groups hidden from all roles that don't have explicit access. When a session group is created it should ask what roles you want to see it and when a new role is to create it should ask what session groups you want them to be able to see. On any role-based service, I have used besides this one grouping, folders, access, etc isn't granted by default... it has to be given.

Another example, if an employee wants access to their systems but doesn't want any of the other staff to have access to their system the admin would have to create a session group for those computers and instead of granting access to only that employees account or role they would have to go into every existing role and hide the access to that session group. Let's say you had 30 different roles in your business, to hide that one session group you would have to open and edit 29 different roles just to hide access to a session group vs opening one role and giving access to that session group.

Short and sweet, there is no easy way to create a session that only one role can see without going in and removing access from every other role in your system. Worse off, if you create a session group that should only be visible to one role, add a new role, and you forget to remove the access to that session group for that new role you now have a role that can, out of the box, see a session group it shouldn't. This is time-consuming, problematic and the opposite of how every other role restricted system works.

It doesn't matter the case. We have 5 roles and even that is too many to have to handle the above task. It is backward from any other system. If you were using AD and put a new folder on a network... your members wouldn't just have access to it unless you set the access to everyone. It would require to you add the roles/members you wanted to have access to it. But your system automatically gives everyone access without allowing the admin to restrict the access to roles without having to open each role one by one to adjust their rights individually.

You can set the global session group viewing permission under "AllSessionGroups" when you edit the role. If you deselect "ViewSessionGroup" under "AllSessionGroups," going forward, all sessions groups will be invisible to that role. To allow only certain session groups to be visible, you'd need to edit by role and select which session groups that role can see. That sounds like what you're after. 

This way, you'll have to update your 5 roles to remove the ViewSessionGroup permission, but then you're only selecting the session groups you want that role to access, as opposed to deselecting all the session groups you don't want them to see.