I am writing an web app, in which a user can create group and add other users into in. Multiple users can be in multiple groups. And there are certain privileges or control you'll gain from being in a group, for example, being able to see the content. All of this is similar to Facebook's group function.
I am aware all this can be done with a couple tables in the DB tracking who's in what group and grant privilege accordingly, etc.
I am wondering is there any framework or theory or article that informs about the RIGHT and most efficient way to do it
What you want is called ACL (Access Control List). There are many approaches to that (e.g. look at three-step pseudo-ACL in UNIX/linux world, or inheritable multi-level ACL's in Windows Directory dependent environments).
I use very simple approach, which I'll share here:
Every "object" (an article, the photo, any other resource), has some pre-defined "actions" which may be made on it (like "show", "vote up", "comment" etc.). By each object and action I define ACL this way:
objectB.ActionX: all
objectC.ActionX: all !userA
objectD.Action1: group1 group2 userA !userB !group3
The ACL is simply being read from left to right. Each "all" "group" "user" means allowing particular action for particular object, while "!all" "!group" "!user" means dissallowing that...
This approach is easy to implement - and gives almost unlimited possibilities :)
Hope this would help you :)