First, your analysis is right. The list of impersonators is a property at the target user. So the target user can grant another user (the impersonator) the right to act as himself. There is no “impersonation right”, that a specific user group is allowed to impersonate to anybody.
So the use case “Support User Group”, where a group of support users are allowed to impersonate as other business users will not work. Every individual business user must grant impersonation rights to the support user group.
To change the list of impersonators, you just need write access at the target users. Either it is the target user itself, or members of the “user administrators” group, or member of the “administrators” group, or any other user or user group that your project has granted write access on the target user.