The edit of a project roles group membership should be guarded by the Browse Users global permission just like the user picker is for editing user project role membership. This issue is related to JRA-11884. To have the same behavior as the user picker we will need to change the UI to be like the User picker, with a Group chooser popup and the text input field that accepts comma delimited group names. We can then make it such that the picker does not show up when the user does not have the permission.