You have to manually set the permissions by checking the group. Yes you can dynamically add groups.
This is not a full on ACL system. This is just a simple, lightweight, auth system. So if you need complex ACL you should probably use a different library.