you are right, the application does not have native support for custom ACLs or permissions, and several quick searches on the Internet did not immediately display any obvious open source libraries.
How to implement full permissions and ACLs for group sharing is definitely a non-trivial design issue. There are a number of other issues here.
saying that, like a very rough first pass, you are probably on the right track with saving user lists. I suggest you abstract the list into separate group entities and instead bind them to yor data so that users can define groups once, and not for each piece of data. I would also like to keep separate lists of groups that can read vs write. finally, I would save the “User Properties” in the group entity, instead of strings of usernames or email addresses.