RBAC in CG now allows customers to define roles that provide permissions to users on all the applications except a few. Till now customers could select all or selective applications when scoping permissions on application but now they will also be able to select applications for exclusion. This helps in catering to scenarios where they want to have strict control over a set of sensitive / critical applications while allowing their teams to manage rest of the applications. This feature automatically includes any new application that is created in Harness in the list of allowed applications but they can be moved to excluded category by explicitly modifying the scope.
In the example below, permissions will apply to all the applications except "K8S Sample App" when "Exclude Selected" option is used
This is feature is behind FF