Allow Promapp users to be removed from the ALL STAFF role

We have some external users (i.e. consultants) that we need to be able to restrict to seeing only select process groups in Promapp based on what they are approved to see. We also have some other process group folders that need to be restricted from the majority of users for confidentially reasons.

We would prefer to use the ALL STAFF role as the default for controlling access, as this would allow new users who sync by SSO to see the correct folders by default. We would remove the ALL STAFF role from the restricted folders, and any external users that need to have restricted access would not be added by SSO and so could be removed from the ALL STAFF group during that manual process of adding them to Promapp.

Currently as we can't remove users from the ALL STAFF role, to achieve this we have to have additional roles to drive access, that we have to add every single user to ensure the right level of access is achieved. This adds unnecessary additional time to setting up new users that could be done automatically for 99% of new users. In addition we also have other functionality issues such as not being able to share group minimode links, as having all folders as 'locked down', group minimodes don't work for unauthenticated users.