Hrm - yeah this is a lot of maintenance whether you are using org or group truthfully. I would have to play around with it for Org to see if I can get it working. Whats odd is that i dont see @root.id there which is the attribute for the "logged in user" - usually it would be something like "group.group_list.member IN (@root.id)" which would specify that the logged in user must be a member of the group which is on the ticket in order for that user to see that ticket.
Now of course this only works if you are basing the policy on the org or group that is on the ticket, and the user belonging to that group or org, rather than trying to accomplish something like "only certain orgs can see certain other orgs tickets...." type of thing.
Let me know if this helps point you in the right direction at all.
Jon I.