Ah well, if all this is "free" (as in complexity), i'm all for it, but the reason I advocated a common high-level API for basic checking is that it allowed choosing among various implementations depending on the designer requirements. For the simple site I'm designing, your system sounds "too full". I basically just need admin and non-admin.
I also think it's important to to force a UI down user throats. Your design could be applied if I can use my existing main-page login form as a front-end and have your system with a single "hard-coded" (at deployment) permission. Why do you feel a user/role many-to-many design is not enough? I don't see what having group+permission provides above roles.
