Ideally the permission should never be applied at the lowest level, as later on if the size of the repository increase then there are lot of challenges in modifying the permission for the groups or users at the lower level nodes.
I would suggest to create a group at a higher level until really needed at the lower level.
Lets see if you have the hierarchy some thing like "/content/<site-name>/<locale>/<locale-language>/newsroom/news/article1 then the permission should be applied at "/content/<site-name>/<locale>/<locale-language>" or even higher "/content/<site-name>/<locale>".
For grouping the permission and applying the same on the other environments use the "ACL Packager"
So the best approach is use this to package the permissions rather than apply through code.
You can create a servlet and use User Manager API to automate this:
Session session = resourceResolver.adaptTo(Session.class); UserManager userManager = resourceResolver.adaptTo(UserManager.class); /* to get the current user */ Authorizable auth = userManager.getAuthorizable(session.getUserID()); /* to get the groups it is member of */ Iterator<Group> groups = auth.memberOf();