This is in Grouper 2.4.0 UI patch #38

Add a policy group to a folder



You will see options with some selected by default


That creates this structure


Configure lockout groups and require groups

You can have lockout groups and require groups that users can use in policies even if they cannot READ them.  Configure in grouper.properties

##################################
## Lockout groups.  Could be used for other things, but used for policy group templates at least
## if there is no allowed group, then anyone could use it
##################################

# group name of a lockout group
# {valueType: "group", regex: "^grouper\\.lockoutGroup\\.name\\.\\d+$"}
grouper.lockoutGroup.name.0 = ref:lockout

# allowed to use this lockout group.  If not configured, anyone could use
# {valueType: "group", regex: "^grouper\\.lockoutGroup\\.allowedToUse\\.\\d+$"}
grouper.lockoutGroup.allowedToUse.0 = ref:lockoutAllowedToUse

##################################
## Require groups.  Could be used for other things, but used for policy group templates at least
## if there is no allowed group, then anyone could use it
##################################

# group name of a require group
# {valueType: "group", regex: "^grouper\\.requireGroup\\.name\\.\\d+$"}
grouper.requireGroup.name.0 = ref:active

# allowed to use this require group.  If not configured, anyone could use
# {valueType: "group", regex: "^grouper\\.lockoutGroup\\.requireGroup\\.\\d+$"}
grouper.requireGroup.allowedToUse.0 = ref:activeCanUse


# group name of a require group
# {valueType: "group", regex: "^grouper\\.requireGroup\\.name\\.\\d+$"}
grouper.requireGroup.name.1 = ref:employee

# allowed to use this require group.  If not configured, anyone could use
# {valueType: "group", regex: "^grouper\\.lockoutGroup\\.requireGroup\\.\\d+$"}
grouper.requireGroup.allowedToUse.1 = ref:employeeCanUse