I would not go as far as to say that this is a very ``opaque'' area :). Improvement is definitely needed, and the first one that is needed is a sample walkthrough with some meaningful example how groups/group types/relationship types/users get pieced all together to create a robust and flexible permissions/user management structure. Whatever is in the /doc section of this site (and any site having [O]ACS4.x installed) is, well, stimulating, but far from clear on this...
Anything changed since you last touched upon this?
