I propose that access be split into two categories: Editing and Viewing.
Lets look at the first option. Say you have a large organization and your FAQ's are managed with a distributed model concept. Different departments handle their own content. The overall FAQ Manager would be the only person(s) to create top level categories, and can then assign those categories to specific groups. Now within that category, the group can create sub categories. Everything created within the group would have edit restrictions to that group and the overall FAQ Manager(s).
View restrictions would by default be set to "All Visitors". However it may be that some FAQ's are for internal use only. So your settings for viewing would be:
- All Visitors
- All Groups (excluding anonymous visitors)
- Specific Groups