i would design the model so that a user doesn't necessarily have to belong to a group in order to have access to a page
in my mind, groups can exist to make administration of users easier, but you should not have to "create" a dummy group for a unique user just in order to grant permissions
I agree. Let me clarify then so I make sure that I understand.
The permissions themselves are on the individual pages. If I use the model on the left, and page "x" was not in the proper group, a dummy group would need to be created to suite that person's page access as you suggested.
Would you put the permissions on the pages themselves?
This is very confusing to me because I am thinking in terms of UNIX permissions and it is clouding my ability to correctly model this.