you can assign passwords for posting and publishing, and only give those passwords ("authorizations" in GroupSpecifier terms) to certain members of the group. but you can't revoke an authorization or membership in the group.
That's really bad. Why woudn't they do such functionality?
a group is a cooperative, distributed system. there's no "head node" or centralized arbiter in our model. no member is special beyond potentially possessing authorizations to enable posting or publishing in groups where those functions are restricted.
there's nothing stopping you from implementing moderator functionality, including kicking/banning, at the application level in your own ActionScript and server-side logic.
we considered adding signed cryptographic (public key) invitations, revocation lists, etc to the system but felt it would have dramatically increased the complexity of both the implementation and how developers would interface with the system, not to mention the logistical problem of signing and handing out the invitations (and potentially refreshing expiring invitations for the non-banned so that revocation lists don't have to keep banned members forever). cryptographic membership for groups is still under consideration/research.