Dynamic Security - Security API

I have a project with multiple groups in dynamic security setup . I also have a default group setup which works fine. The issue I have had for years is

when the Sub Administrator of client project needs to setup an Employee , it defaults the employee to default group which makes sense . I need for this Sub Administrator to

be able to change the employee setup to another group without assigning the Sub Admin ( Full Administrator Privileges - To the Admin Area ) which can do damage to the project

if they start checking wrong boxes in the admin area example .. page permissions. So in the meantime they have to contact me to change a user every time they have a new employee that changes to

another group. So if you have 20 clients with 20 sub administrators , you get a phone call or email, every time you need to put a user into another group.
I have looked through the Security API and see I can use setPermissions($table, $rights) after successful login event.

This still does not let me change the group the user belongs to , it just dynamically let's me change Add , edit , delete pages etc... for a table. I see I can also GET the User Group

using Security::getUserGroups() name which does nothing for me. Where can I actually SET User Groups without giving full access to Admin table, as the setAllowedPages function does not cut it either as it has no affect on page types the user has no access to. And using setPermissions function for "M" just sets to Admin when users can see/edit their own records. So don't see how that can do it either as just gives access not able to change groups here ( as I see it ).
I was thinking to have another table that I plan to use for example Sub_Admin_table ( only sub_admin has access to) that is a view of one of the security tables particularly the user group table and setup for client sub-admin to use to change user groups based on the usergroup table , but not sure for one if that is secure way of doing this[size="2"] and if it will break security and or project. [/size][size="2"]So not sure how to resolve this as this has been an issue for a long time now? [/size]
[size="2"]Is there any way I can use this table to change an Employee from one users group to another from this table without breaking security / project ? Any example would be appreciated. [/size]
It would be a nice feature if we had the option in security setup to choose a sub-administrator and give them admin access to change users to specific groups other than admin group without having access to change page permissions.