We don't use the access control functions very often, so it's understandable that they are primitive. Right now, access control must be done by inserting text into the first line of a page. The rules are a bit tricky, and you can "group" users by creating so-called group pages.
The first step is to store the ACLs in the database rather than in the text of the page. We're already so-so doing this.
We could have a button after "Rename" in the edit area that says "Security." The user would see "Security" only if they have the privileges to change the access control on the page. Clicking on the button would take them to an area where they select which groups are allowed to: edit, view, delete, revert, admin the page. There would also be a link to a seperate area where the user can define new groups — or maybe not?
Groups being wiki pages is a good idea — we have revision history and it's easy to see it in recent changes, etc. It's also simple. Groups should, when edited, move their information into the database, though. It may also be good to move groups out of the main "namespace," so to speak. "Wiki/User Groups/name of group" would be better. "User groups" is also more clear than simply "groups." The page "Wiki/User Groups" should have a list of currently defined groups. The cheap way to generate this list would be to use the information on which groups exist from the database. Later on we can use a more clean scheme. (Note: the more general non-user concept of a group — e.g. System Pages Group — will be outdated soon enough once we move to this "clean scheme" :-] )
After thinking about this a bit, it's probably best if it's not a wiki page any more. Just a 'manage user groups' interface would be more straightforward.
You should also be able to list an IP address (or range) as a user of a group. This would allow easy web-based IP bans. What's the best way to allow them to specify a range? We should maybe just use the format apache uses in .htaccess files: 127.0.0.