...
For privileges on that, you should need: courses:etc:courseReaders to be able to read all groups, and courses:etc:courseUpdaters to be able to only update the include/exclude group. You should be able to apply a rule on the "courses" stem which has an "if" on the group name, if it ends in _includes or _excludes, then courseUpdaters should be able to update the group.
...