Originally Posted by proNick
Ie. how can I define that users in group 'users' can access to cdrom, without adding all members of group 'users' into group 'cdrom'?
You would define a new group for this device called say "cdrom", and add only the users you want to be able to access it to that group.
Remember, files/directories/devices can only belong to one group
Users can belong to as many groups as necessary
For example, you could define groups for security levels 1-5, called "sgroup1", "sgroup2", and so on. Any file that should only be accessed by levels 3 or higher should be set to sgroup3. Then your users can be granted access to the groups as necessary. So "Jesse" might only belong to sgroup1, giving him access to any files/directories/devices that are level 1, but nothing higher. Meanwhile "Richard" might belong to sgroup1, sgroup2, sgroup3, and sgroup4, giving him access to any files/directories/devices belonging to those four groups, but not those belonging to sgroup5.
Increasing or decreasing a user's access involves only adding them to or removing them from a group. Increasing or decreasing a file/directory/device's security level involves only changing which group it belongs to.