Switch groups to tags
Make any changes needed to consider the current groups concept as a tagging concept. A tag has an owner and a label, for any given owner the label is unique. Each tag then also has a unique ID. Anyone who has access to that ID is in that "group" or has the right to see anything with that tag on it.
Tag identifiers are keys, there can be readonly and writable keys for the same tag.
Edited by Nicolas Pope