Claudio,
First, let me caution against modifying the permissions system. It is a complicated beast fraught with possible performance killers unless you are able to do some serious profiling on your changes.
Don (and others) have spent a huge amount of time optimizing the system.
Let me see if I understand what you are trying to do: You are modeling a hierarchical structure. For your test you created groups "one", "two", and "three" such that placing a party into group "three" essentially places him in groups "one" and "two" as well.
What I don't understand is what you are trying to achieve with permissions. In the existing system, a permission is a triplet consisting of a privilege, an object, and a party. So you grant a privilege ON an object TO a party. That party can be a user or a group. If you grant the privilege to the group, all members of the group get the privilege. So, for example, if you granted "read" privilege to group "one", all members of group "three" would have the "read" privilege as well.
I'm thinking that you are suffering some of the same problems I had when wrapping my head around permissions. Lots of stuff seems "backwards" (like group membership, OpenACS talks about components, so in your example you made group two a component of three and group one a component of two. Most people would think of creating group one, then create a "subgroup" two and a "subsubgroup" three). It often helps to think in terms of Venn diagrams and set theory when working with the groups system.
