The "core_usergroup_manageUsers" permission grants acces to add users to groups, but it also also grants access to binding roles/resource groups on users AND groups.

Ideally this permission would be 3 separate permissions one for managing group membership (adding/removing members of groups), one for managing role bindings on groups, and one for managing role bindings on users.

This came up as we would like grant access for users to add users to their project, add them to pre-set groups with pre-set role bindings as there are many permissions we don't want to allow users to have for maintaining our security model. Since adding users to groups comes bundles with managing role bindings, users with this permission can bypass the access controls we've put in place and grant themselves or anyone else any role/permissions in the platform.