In the permissions form for a repository, you should be able to specify permissions either to individual users (which is already supported) or groups. These permissions should be additive, meaning that a user is granted the highest level of permission that is applicable to them, regardless of whether it came from a group or individual permission assignment.
It may be useful to store user and group permission assignments separately to support users and groups with the same name. For example, in some cases it might be desirable to have both a QA user and a QA group.
Example: Users bob belongs to group Dev and Product1 Users steve belongs to group Dev and Product1 User jane belongs to group QA and Product1 User jill belongs to group QA
Repository 1: user bob OWNER group Product1 READ * group Dev WRITE
Effective permissions: bob: individual OWNER permission is higher than WRITE from Dev or READ from Product1 steve: WRITE permission from Dev is higher than READ permission from Product1 jane: READ permission from Product1 jill: NONE