By default, all users are created with access to all devices. It would make much more sense to be able to assgin user 'roles' specific tags so that a user created with 'read only' access for instance only has access to specific tags. I see two scenarios that would be extremely useful:
1. Tie user roles to default tags
2. Change default tags for users without tags assigned
These options would greatly help to reduce the administration time involved with setting up new users and would provide a lot of flexibility.,
[Implemented] Modify Device Access Default Tags
Starting with 2.5.0, we reworked Device Access into Object Access Policies. Using this new system, you can create a no-access policy, and use it when creating new users. While this is not exactly what you asked for, it allows you to easily provision new users with no or limited object access.
In essence, starting with 2.5.0-Beta1, you should be able to achieve what you asked for by creating a no-access policy, and using it for new users. More info on this in the 2.5.0-Beta1 thread: viewtopic.php?f=4&t=1784