I've found a similar problem that prevents a subsite admin from adding users to groups. The problem is that the /admin/relations/add uses a monster query that will only allow you to add users to the group on which you have read permission. Now it just so happens that all our users have a null context_id so that in practice, and once again, only the site-wide-admin can actually admin users and groups.
It seems to me that the best fix here is to remove the read permission check and simply allow the admin to add any user in the system to a group that he admins. Does that make sense?
