Manual:$wgAddGroups

Details
By default the bureaucrat user group may grant all rights, because of the following setting:

Note that groups which may only grant some rights (like bureaucrats in this example) need to have the userrights privilege set to false, otherwise they will still be able to add all groups (except in 1.11). Alternatively, $wgAddGroups can be defined without potentially overwriting an extension's definition:

If a group can add any right (example: bureaucrats can add any right): If a group can add only some rights (example: bureaucrats can add only sysop and bot groups):