Feature Overview (aka. Goal Summary)

Support defining a defaultRole (or defaultPolicy or similiar) configuration option that would allow administrators to specify a fallback role that applies to all authenticated users without requiring explicit group membership or policy mappings.

Support adding permissions for this default role, the concrete implementation is up for discussion. We could create a defaultPermissions configuration option that would allow to specify what default permissions to apply to this default role. Other options include enabling adding permissions via csv-file or RBAC UI.

This feature request comes from community https://github.com/backstage/community-plugins/issues/5358 and we have already pull requests with implementation proposals:

• default role: https://github.com/backstage/community-plugins/pull/4350 
• defaultPermissions: https://github.com/backstage/community-plugins/pull/3521 
• defaultPermissions: https://github.com/backstage/community-plugins/pull/3908 

This feature also partially addresses these other feature requests from community:

1. When using Backstage's Sign-In without Users in the Catalog feature, the @backstage-community/plugin-rbac-backend cannot evaluate permissions for users not present in the catalog
2. Avoid 'all-employee' groups being required mentioned in wildcard support request: https://issues.redhat.com/browse/RHIDP-6493 

Goals (aka. expected user outcomes)

Provide rbac role with default permissions for all users and groups.

• New configuration option permission.rbac.defaultRole (or similar) in app-config.yaml that accepts a role reference (e.g., role:default/authenticated-user)
• Allow adding default permissions to the role. This is up for discussion and depends upon what we specify as the role source, either:
  • New configuration option permission.rbac.defaultPermissions in app-config.yaml that accepts permissions for the role
  • Explicit group/user mappings in policy CSV can add additional permissions on top
  • Adding permissions via RBAC UI for the default role
• Example configuration:

    permission: 
      enabled: true
    rbac:     
      defaultRole: role:default/authenticated-user
      defaultPermissions: 
          - permission: catalog-entity # Resource type
            policy: read
            effect: allow
          - permission: catalog.entity.read # Permission name has priority
            policy: read
            effect: allow
          - permission: scaffolder.template.step.read
            policy: read
            effect: allow
          - permission: scaffolder.task.create
            policy: create
            effect: allow

Requirements (aka. Acceptance Criteria):

• As an admin, I want to be able to define a default role directly within the `app-config.yaml` file, so that I don't have to manually create all users group and assign all users to it

Out of Scope (Optional)

High-level list of items that are out of scope.

<your text here>

Customer Considerations (Optional)

The RBAC plugin currently requires explicit role assignment for every user or group to receive permissions. For large organizations, this creates a significant administrative burden when you want to provide baseline permissions to all authenticated users.

Currently, to provide baseline permissions to all users in a Backstage instance, you must:

1. Create a group containing all users, or
2. Use the admin users configuration (which grants unlimited access), or
3. Manually assign every individual user to a role

For organizations with large user bases, none of these approaches are scalable or maintainable:

• Group-based approach: Requires maintaining group membership for every user
• Admin Users: Provides unlimited access, which is too permissive for baseline permissions
• Individual assignment: Not feasible for large user counts

Documentation Considerations

• As a platform engineer, I want to be able to find information on how to configure default role and permissions.