Here's what we have (and I feel quite confident in how it's done because I was guided by none other than David Stern!).
We have quite a few grroups of users with widely ranging areas of analysis. This means that we have a large number of libraries (over 300 at the last count), many of which are ODBC links to databases. Each has its own set of authorised users. So, pretty much, each library is in its own folder, all within the /Shared Data folder. ACTs are applied to each of those folders, which grant all access to one group and just RM,R to another. This ensures that those permissions are inherited by an registered tables.
But in order for users to see the folders and their contents, SASUSERS needs RM access to the /Shared Data folder and that would be inherited by all its child folders. So we have another ACT which we apply to each child folder which denies all permissions to SASUSERS. The specific ACT for a child folder overrides this for the groups which it specifies.
I hope this is useful.