I still would like to see a simpler approach, since I fear the options may be a bit heavy on a host where you also run all your other services.
So imo, keep it with an extended local repository, where you can manage your group based application permissions through a website, similar to the current software management we have for zentyal server.
Apt will manage the dependencies for you if you install or de-install packages. Permissions to install will be handled by the sys admin from the web management page on zentyal server.
Userprofiles can be handled by a sabayon-like feature... any things I missed or is this too far fetched?