Using the standard concept you'll have to get creative with your S_USER_GRP and a supporting set of roles. This will have a maintenance overhead. A couple of alternatives are:
1. Have someone outside the team have access to grant them to users within the group (and be strict about enforcing user groups)
2. Run a detective report on a weekly basis to see who has done self-assignments (most commonly operated control that I have seen).
