Technically, this is also possible by creating extra groups, but this kind of access control presumably exists because the old-school method can be a pain to administer. Choosing group names can also be an “interesting” secondary challenge.

i.e. Dude’s not going to be best pleased if they ls -l and see the group on the file is xyzgroup-but-not-dude even if it is with good reason. (Shouldn’t have deleted the database, dude.)

I understand it all less after reading that. I need more coffee.

The only thing you need to know about file acls is not to use them. Similar thing can be said for Network ACLs to be honest.