This is included in grouper 2.4 api patch 37, and 2.4 ui patch 18.
You can enforce separation of duties by not allowing a (updater/admin) user to add themself to a group. Someone else has to.
By default a group admin can assign this to a group. But by default only wheel group members can unassign. This is configurable below. Group viewers can see if it is assigned (if this feature is enabled).
This is implemented with an implicit hook (you don't have to configure it)
Veto screen
View group screen
View if this feature is assigned to a group (viewers of group can see this in "more info")
Edit if allowed to edit
Edit screen if not allowed to edit
Configure
To enable this feature, in In grouper.properties set this to true
...