- create any new users (A and B)

- make User A a password admin; make user B password admin or password user.

- set both users' Access Scope to "Passwords owned and shared"

- User A creates a resource group with a criteria like "Resource Name does not contain ZZZZZ" (ie match every resource that is in scope).

- User A can only see resources "owned and shared" in this resource group - this seems correct.

- User A shares this resource group with user B

- User B can now see every resource in the whole system as if they were an Administrator, ie much more than just "owned and shared" and much more than User A.

Please advise if this is expected behaviour.