Tom,
I struggled with this, and I still don't have a good explanation for how it all works.
What I do know, is that the system makes no assumptions on how you want to use it. If you create a new relationship type, there are no semantics attached to it by the system.
So what I think you want to do is this: create a new relationship type. Then you will create a tcl proc that creates an instance of this relationship. This is what will grant the permissions on the objects based on your application.
Well, writing that gave me a little bit more understanding into how it works. Mainly the key is that the system is very, very flexible, and with that you can use it in many different ways. We probably should generate some documentation that shows common uses of groups with examples.