It would be great to allow Groups to be a control for password visibility. Example, I don't want my help desk to see the domain admin password for a client, but they need to see everything else for said client. If we had a group that could include/exclude another tier of passwords versus seeing all.