[OpenAFS] correct usage of supergroups

[scorch]

dear AFSers

I have some questions about supergroup functionality. I'd expected that 
I can create the following:

Access list for /afs/.muse.net.nz/pub/images is
Normal rights:
   write:images rlidwk
   admin:images rlidwka
   read:images rl

this mirrors how security is currently set up on a large windows 
environment. it helps migrating the permissions via script & keeping the 
existing controls of who can change permissions in place - users can 
control the membership of groups, but not the permissions themselves.

and then have membership of each group as follows:
$ pts mem admin:images
Members of admin:images (id: -212) are:
   system:administrators

$ pts mem read:images
Members of read:images (id: -211) are:
   system:anyuser

$ pts mem write:images
Members of write:images (id: -213) are:
   joeuser

however this doesn't allow the expected result - nobody can read the 
volume, & joeuser can't write.

I have created 3 dummy PTS accounts (read, write, admin) to own the 
various groups, this is just for neatness' sake.

OpenAFS is on OpenBSD 3.7 & windows, running 1.4 rc6, using
./configure --enable-transarc-paths --enable-fast-restart 
--enable-bitmap-later --quiet --enable-debug --enable-bos-new-config 
--enable-supergroups --enable-namei-fileserver --disable-kernel-module

-> windows client is 1.4 rc6
-> openbsd clients are all arla from 3.7 release


4 questions:
does anybody use supergroups?
am I using them correctly?
is there any other information I could collect that would help?
are there any other docs other than the wiki for reference? google 
doesn't return much.

cheers, scorch
--
out of the frying pan and into the fire