Well ... to be honest that was strange in the ACS 3.4 Intranet, too, a real kludge and misuse ... one we probably don't want to mimic in your port, as you point out.
You don't need to add fields like "admin_group" to po_projects, though, you can query directly for "which groups have admin access to this particular po_project object" if you decide to go the group route.