Paid Seat group "profiles" for SSO provisioning

As a paid seat group owner, I would like to establish standard permissions for users in my paid seat group that I can apply through SSO at the time of seat provisioning.

These permissions include both roles (owner, contributor, custom role) as well as feature-specific permissions like work request notifications.