One thing is that "seeing" and "doing" are treated separately. So one place you can make a mistake is to give a user an action permission on something she can't see. On the other hand. You need to add user2 to Group 1 either directly or by inheritance i.e. make group2 inherit from group1. You could also add Group 2 to access level 1.
To control by user in the implementation in the CMS you would need to make a group that only contained that user. The only exception is "edit own."
However with plugins or with your own implementation of acl using JAccess you have the possibility to do many other approaches.