Currently, Gerrit Manager has the ability to change group membership in 201 apparently randomly selected groups out of a total of 1630. Perhaps this was an error in the execution of T218761. The question is which groups is Gerrit Manager supposed to be able to edit. One possibility, derived from the discussion on mediawiki.org and a TechCom discussion, is that Gerrit Managers should own all groups except for mediawiki.
The operations/puppet repository does not have an associated Gerrit group. The relevant LDAP group is directly granted access to the project. The existing operations-* groups in Gerrit don't seem to have high security requirements.