Basically they seem to remember if a user was given permissions individually or as part of a group. It is impossible to manually add or remove permissions that a user was given via the group (greyed out). If a user was member of a project before his group was added, he will remain a member even if you remove his group.
I have not looked at the underlying DB yet but I wanted to point out that his is how I think it should work.
Update:
I compared this behaviour to redmine and I believe they have a very elegant solution, at least from the user perspective.
You can try it here: http:// demo.redmine. org/
Basically they seem to remember if a user was given permissions individually or as part of a group. It is impossible to manually add or remove permissions that a user was given via the group (greyed out). If a user was member of a project before his group was added, he will remain a member even if you remove his group.
I have not looked at the underlying DB yet but I wanted to point out that his is how I think it should work.