For show/hide apps, IMHO the default should be “deny all”+“permited lists”, so any new installed app will not allowed automatically by accident. The way around, if we install any new plugin or apps, users will be able to access it by default and that may be dangerous.
Of course, the deny all require more work to setup and that may not be that friendly for new users
Maybe a option “kibana_apps_access_rule: (show:hide)” and the “kibana_apps_invert_access_rule: [(apps list)]”
This would allow one to choose the default access rule and the use the other option to allow/deny access to apps, depending of what the default is. This would give both worlds, while keeping mostly the same options.
If you do not like a option that change its meaning, use the kibana_hide_apps/kibana_show_apps, but only allow the one that is the opposite of the default and errors when the other is used, so no one tries to mix both
About the settings, native forms are always more friendly… but always give some way to one push yaml via a curl, so tools like chef, puppet, ansible, salt can push configuration changes without requiring any manual changes. This is very important for people that use configuration management systems!