This is an issue that came up in the #jenkins irc channel.

There is currently a limitation when using PAM with matrix based security. If a group's name matches that of a user, it cannot be used in the configuration, as it will always select the user instead of the group.

I propose supporting a prefix, such as '@' that will explicitly identify the group/user as a group.