Comment 1 for bug 1085012

Update:
I compared this behaviour to redmine and I believe they have a very elegant solution, at least from the user perspective.

You can try it here: http://demo.redmine.org/

Basically they seem to remember if a user was given permissions individually or as part of a group. It is impossible to manually add or remove permissions that a user was given via the group (greyed out). If a user was member of a project before his group was added, he will remain a member even if you remove his group.

I have not looked at the underlying DB yet but I wanted to point out that his is how I think it should work.