You might also check out the thread on Relational Segments: how do you use them.
Create your group for your application, the one that can see everything. Give a membership_rel to all users you want to be able to 'read', for instance. A membership_rel is a specific type of acs_rel. It puts a row in membership_rels, which triggers a bunch of pl code to at least create rows in party_approved_member_map. Any general permissions you want everyone to have could be assigned to the group, or you could create a relational segment. Lets say the group_id is 100. If you created a relational segment that said "all users with rel_type = 'membership_rel' to group 100 are part of this segment", then you would end up with two rows in party_approved_member_map, one for the group and one for the rel_segment. You can assign permissions to either of these. If you wanted a different grouping of users, say the 'advanced readers', you would first create a subtype of membership_rel say 'advanced_readers_rel'. Once you have this subtype, you can create a relational segment that says "users with rel_type = 'advanced_readers_rel' to group 100 are part of this segment, named 'Group 100 Advanced Readers'. Then you would use membership_rel__new, or whatever the tcl api call is to add the new rel. You use the same call, but for the rel_type, you just substitute 'advanced_readers_rel' instead of the default 'membership_rel'.
Shoot, now I'm confused.