IAM in Service Catalog
Changing access controls on a group affects only that group. It has no effect on controls in any other existing groups.
Each group has an security attribute that controls whether or not a valid 2-factor login session is required to administer the group. This attribute is located under the administrators control, enabled via an "enable enhanced security" checkbox.