In my web application, users are assigned to groups and groups are granted permissions on objects. The application exposes some objects to unauthenticated public users (i.e. people casually visiting the website).
I have thought about having an object attribute of "visible to public" that grants unauthenticated users that access.
I have also thought about creating a group named Public, and giving that group permissions like any other group - then automatically treating the unauthenticated user as a "dummy" user who is a member of that group.
The latter seems simpler from the perspective of the interface (both API and UI) for managing permissions. But the concept of the Public group being special feels like a slight design smell. Am I missing any security principles that would make this undesirable?