File system permissions ACL

Hello everyone,

I have a huge problem with file system permissions when user access it in a share.

I have created different global groups with different permissions e.g.:
file_FC (full control)
files_RWX (read write execute)
files_RW (read write)
files_R (read only)

I have added the different groups to the folders and set the predefined permissions using windows explorer.
This security groups I have created for different shares and I have added them to other security groups who are assigned to a special user function or department. My idea is I can simply assign a user to a function group and automatically the user gets the right permissions to all needed data.

Now I have realized that this works only sometimes and not all groups have the right limits even though it is defined different for the security group in the file system.

It means a user who is a member of a group who is a member of two different groups who allows rw access on folder A and read only access on folder B results that the user has no access to any of this folders.

I have two add the user to a third group who is not further defined for file system permissions that the user gets access but then the user has read write access to both folders A and B even though in folder B the user should have read only access.

Sorry I know it is very confusing but currently I can’t rely on the set permissions, they can be effective as defined or a user can have more access as defined for it’s group.

Does anyone have an idea how I can start to set the ACL correctly and how I can make sure permissions really work as defined?
Is there any good document I can read to learn more about ACLs? The most documents I found yet are not really helpful, they gave me some ideas to figure out how I have to set permissions in a try and error way.

Thank you in advanced!

Best regards
Hendrik Dreyer