@Arunu - your idea to make them each groups, not subgroups, is the best way to go.
There is no real reason to have a hierarchy of permissions (I think you may be mixing authentication with ACL a bit, a very easy thing to do).
Ion_auth is set up so that a user can have multiple groups - so, for example, all your users could have a Members record, and then a separate record for each sub group.
Each controller entry point simply says what groups are allowed in or not - it treats them all the same.
also, you can dynamically display data based on what groups the user belongs to