Ack, this is all wrong. I will try again. Don't read this!
Each group type is an object type. So if one of your object types will have membership of users or persons, make it a group type.
Definition of membership or composition between groups and parties (persons, users, other groups.) Each rel_type has a role and and object_type on each side. You would put your custom group type on one side, and parties (? users, persons?) on the other side. Then you can define a role, which is just a name for the rels segment. So you can have a "manager" role, and a "staff" role. You can (using relational segments) grant managers permission to create new staff at this level. This is just an example, the semantics of the rols and rel_types is specific to your application.
CAUTIION: I am still working on understanding this, and sometimes I get it backwards. Don't bet you business model on this explaination. There are two main types of relationships you can use with groups. Comopsition and membership. Generally you will use a composition rel to say that one group is part of another larger group and you will use a membership rel to define a user or person as a member of a certain group. Component relationship defines indirect membership. That is every member of a component, is a member of the parent group. Membership relationship defines direct membership. (TODO: explain this more clearly, there must be a way to describe this in plain language)
WARNING Composition rels seem to be broken. Permissions flow in the wrong direction. If you give admin to the top level group, it flows down to all members of any group that is a component of the top group.[ find bboard thread ]
Defines a party that is all the parties with a certain rel_type to a group.
Ie: Group: my_company
Rel_type: staff_member
Rel type: admin_member
Using relational segments you could define a party that includes all staff members and another party that includes all admin members. You can know check for membership in a certain rel_segment for a user( person, party.) You can assign permissions to the relational segment instead of setting permissions on each member of a rel_type.