How to give different document permissions although same type and same state

I’m in a similar situation.

I’m evaluating whether to deploy Mayan EDMS for the accounting department of the nonprofit organization I’m working in as an IT guy. They serve about 40 accounting areas, called “mandant”, each of which represents either a branch of our organization or an external customer. Each document, e.g. an incoming invoice, belongs to exactly one mandant, the number of which would become a mandatory metadata field. In a few instances, the mandant of a document can change, e.g. if it had been misidentified during upload, or sent to the wrong email address.

What is a good approach to restrict access of each document to only those accountants who are permitted to see (or find by searching) the documents of this mandant, e.g. by being member of this mandant’s group?
In a file system, or with cabinets capable of inheriting ACLs, this would be easy: create a folder/cabinet for each mandant, restrict access to the corresponding group/role and then move the document into the corresponding folder/cabinet.
But with ACLs only being effective when set on documents, each document needs to be assigned the ACL individually.

The solution mentioned in Cabinets ACL - Documents still accessible - #8 by twp still needs 40 states and 40 actions, so it does not scale well.

I’m sure we are not the only user of Mayan EDMS with this kind of requirement. Is there a good practice to achieve data privacy scaling well to like 40 groups? A high initial setup effort is acceptable, but later additions of a new mandant should need changes in only a few places (e.g. add a group, add users to the group, add a role, add one case with a few lines of code in one central switch statement). If the logic needs slight adjustments (e.g. adding or removing a permission), this should be done in one single place of code/configuration and not require changes in 40 places.
Is there a scriptable action to set ACL “allow document read of this document” to group “mandantNNNN” where NNNN is a variable? This may involve coding the action instead of selecting it in the admin UI. Where can I find documentation of the available commands and where/how to apply them?