I think you'll have to litter. Have a look at
https://www.dokuwiki.org/acl, There is no "inheritance" per se, it is achieved by a search path:
From my "wiki_acls" page:
"At each step below the parser looks for an entry which matches the user or any group to which he belongs (including @ALL). If there is no ACE go to the next step, if one ACE then use it, and if more than one give the greatest access. For instance @admins are all also @users, so don't need duplicate entries.
The steps are:
The specific page being requested.
The namespace in which the page is.
Higher namespaces in turn (if any).
The Global settings."
As soon as you apply @ALL to the subnamespace, ALL users will match it, and the search terminates at once.
I set up an admin page with two tables:
1) List all the groups and a description of who is in them (description, not list)
2) List resources, groups and access and an explanation,
When I was running this in a live application it worked fairly well. We had three categories of users (with access to their namespaces) plus an operations area. Users could modify their areas but only read most of the rest. Admins could modify nearly everything with only the superuser able to mess with privileged reports such as the access log.