Should have been zero permissions by default. The current model is a mess of global settings, workflow permissions, and job tokens that nobody understands.