https://hackerone.com/TEAM/groups URL is accessible to team members with Program permission, even when "Group Management" and "User Management" menus aren't visible.
I didn't research this further, however, I was able to grant all permissions to the user assigned to a group with
> Tested on a user assigned to a group with Program permissions
I noticed that
hackerone.com/teams.json is accessible to users with "read-only" permission, but
https://hackerone.com/TEAM/groups.json is accessible to users with at least 1 valid permission.
That's strange because the data is identical and allows disclosing user ids, assigned groups, groups permissions.
Reporting 2 issues in one report, because it's hard to understand the real root cause of the broken RBAC.