Hi @michaeleino,
see this introduction: Sharing
Based on Shares you can define on document level, which user can read/write/delete/share. In contrast to UserPerm it is “more granular”, but UserPerm would allow you to allso manage the access based on the links within a DocType.
Ok, now I get your requirements. As for my understanding, there is no out-of-the-box solution as you are describing. Based on the question, do you want to manage access for only one specific document, or also for nested/linked documents, I would go ahead with Shares or UserPerms.
As it would be very hard to keep track of the permissions (share or userperm), I would suggest to extend the giving methods/ create a wrapper which gets the group as parameter an manages “internally” the users part of that group.
Sure, at the end, it is what you don’t want to have - many permissions. But why not? Validating permissions is fast.