I understand it all less after reading that. I need more coffee.

The only thing you need to know about file acls is not to use them. Similar thing can be said for Network ACLs to be honest.

Technically, this is also possible by creating extra groups, but this kind of access control presumably exists because the old-school method can be a pain to administer. Choosing group names can also be an “interesting” secondary challenge.

i.e. Dude’s not going to be best pleased if they ls -l and see the group on the file is xyzgroup-but-not-dude even if it is with good reason. (Shouldn’t have deleted the database, dude.)