Allowing user to modify group memberships

I would like for users in a group to be able to manage the users of that group. so far i have:

path "secret/data/fpd/*"
{
  capabilities = ["create", "read", "update", "delete", "list"]
}

# allow to modify group fpd-admin
path "identity/group/*"
{
  capabilities = ["read", "list"]
}
path "identity/group/id/{{identity.groups.names.fpd-admin.id}}" {
 capabilities = [ "update", "read" ]
}

# allow browsing of entities
path "identity/entity"
{
  capabilities = [ "list" ]
}
path "identity/entity/id"
{
  capabilities = [ "list" ]
}
path "identity/entity/id/*"
{
  capabilities = [ "read" ]
}

whilst it seems to work - this policy is added to the Group fpd-admin and allows entities/users of that group to list and add and remove users from the fpd-admin group… it also allows those users to add and change the policies associated with that group - ie they can just add another policy (say vault-admin to fpd-admin and have more power than they should.

is there a deny endpoint i add to prevent changes to the policies associated with this group?

No, you either have update access to a group (parameters and members) or you don’t. There is no finer control.