Management of users cannot be restricted to a subgroup of dimension members - if a user has access to manage user security it is for all users. You can control the assignment of security groups to metadata items and artefacts but that is controlling access to data not restricting the management of users. The only way I see this working is for there to be an independent user who can only access security and who processes security requests. That user then checks that the person making the request can authorise the security eg a Corporate user cannot authorise a change for Subgroup Entity or account.
