Comment 2 for bug 1129720

I'm not sure adding the default group is the right fix for wanting ad-hoc per environment rules. I'd prefer if juju started tolerating external tampering with the environment-specific juju group it adds to all machines it creates. We could potentially report via status any addition ports opened.

There are arguments in all directions depending on the exact use-case though. In cases where you have more than one environment on the same cloud account (for instance, a staging and a live deployment), the fact the default group applies to both could cause issues, would be impossible to monitor/alter one without affecting the other. If the account is also used for non-juju work, sharing rules via the default group could be either a convenience or a hole.