So you want a Leased Custom Resource object?
VRA Cafe holds all registered items as Catalog Resources with an owner (the "Items" folder in the vRO plugin for vRA). In 6.x you couldn't set lease on these Resources. I am not sure if that changed in 7.
You can have active directory groups that are part of managed inventory. (that one is actually easy because they are part of the AD plugin and you can map the vRO type to a Custom resource)
In order to do this, you have to maintain a "provision" blueprint that returns the AD:UserGroup object. When run, the return "provisions" (not really) an existing group as a Resource that is now accessible in the vRA Inventory.
Having the group present in inventory doesn't provide the kind of lease that you are looking for though. (unless it can be set in vRA 7 now--which I may look into later)
Assuming lease isn't available, we now have a resource... but no event that will exist for expiration. In the end we want to execute something in vRO to do the actual heavy lifting of removing the UserGroup from another UserGroup that it was added to (probably on provisioning above). And we need a Date someplace to determine when that heavy lifting will happen.
So one way to handle this would be to have the date held on the resource... and a regularly running (scheduled) vRO workflow that looks at all Catalog Resources of type (resourceTypeRef label "My Magic Groups") and see if a Date we add on provisioning is past due. If it is past due... run the deProvision request in vRA which will in turn run a workflow taking in the custom CatalogResource. At that point, the workflow has the target and we can just run the remove user from group method in the AD plugin and at the end of the workflow run (since it came through vRA XaaS request) the deProvision will happen of the object and it will no longer be a CatalogResource in Inventory.
Another way would be to leverage an external database and keep your own information on group membership and inventory and supply that into a form based on criteria (like business group, ad group membership or whatever).
Both these kinds of solutions require a strong understanding of vRO as it relates to vRA and XaaS, but it isn't insurmountable. We take each part a step at a time and work our way through the next function we need. Each function comes with varying options. If this is something you are interested in doing, let me know and I can give you more direct help through parts of it.
For your review...
Your return from the workflow that runs this will be the AD:UserGroup from the middle. The workflow will add the child group into the parent. We will have to figure out how to store the date as custom data on the resource. Let me see if I can get a working example of that. (Probably tomorrow.... I have some things I need to get done)
For the time being, you can learn about Provisioned resources and see if you can get one to provision. You will need to log out of vRA and log back in to see them in your item inventory. I suggest playing around with this capability in a lab. You will need to also create a workflow that can be used as a RESOURCE ACTION to dispose of a resource that gets into inventory.
I have provided two simple workflows below that are the vRO side of this capability. If you configure a Custom Resource, publish/entitle a blueprint to the provision vro workflow, and publish/entitle a resource action to the DISPOSE workflow. You should be able to get here. This allows you to put groups in and out of inventory. The rest is just bits in the middle. 
