From what I can tell, the permissions for the document category are set initially when the incident is created, and never changed. The initial permissions are set in the Setup Process embedded models in SD.IncidentManagement in both the primary model and CreateIncidentAdvanced model. There are explicit permissions set for Support I, Support II, Service Managers, and All Users. All Users get the permission to view all documents in the category and add documents.
As far as the incident permissions go, I just gave all of Support I and Support II Can Administrate permissions on all tickets. Then anyone in those groups can work any other ticket. That works for us because we have a fairly small team. If you want members of a group to always be able to work tickets that any individual member is assigned, you would have to do a lookup of the groups the individual is a member of (excluding All Users) and then add the Can Administrate process permission to those groups in the Reassign or Assign To Me tasks.