User groups are great but.......

In setting up an area for a support team I created an AD group, imported it into PMP, set one of the new users up as a Password Adminand then provided my documentation on how to use PMP to securely store passwords.  I sat with the guy as he created a CSV file and started to import the passwords. 

I showed him how to create a Resource Group using dynamic criteria so all his resources would be automatically added to the Resource Group as they were imported.  Then I showed him how to share it to all his team members using the User Group I'd setup. 

Great now he creates a CSV with all the resources in, imports the CSV and PMP adds the Resources to the Resource Group and all of his team can access the passwords and it all happens in one step now that its all set up.

BUT there was a BUT in my first line! 

I am not part of his team.  Currently I cannot see any Resources he added as they are not owned by nor shared to me.  BUT and here it is, I can add myself to the PMP group and BINGO I have access to his passwords.  That's NOT secure.  Yes I can AUDIT this but the damage is done already, prevention is definitely better that the cure. 

Is there a way of preventing this?

I cannot see a group owner, I'm thinking groups should be the same as Resources.  Password Admins should be able to add user groups.  They own them and can share management in exactly the same way as Resources.  That way I can set up a PMP group and then pass transfer ownership to the support team for subsequent management.  Leave the AD group security to me, this is out of scope of PMPs control and perhaps this leans me towards not using AD groups as a way of automating a Joiners Leavers Transfer process.

Right now the only solution I see is for this support team to share resources to Users not User Groups which makes the PMP User Groups useless as they present a security hole.  The downside is that for a BIG team this is going to be painfully slow for him to setup.

Thoughts?

https://clan8blog.wordpress.com/