Since your question is not marked answered, I am guessing you are still wondering about the osx user groups, "staff", "system", "admin", and "wheel".
Here is what I can tell you about all these groups:
WHEEL - As previously mentioned, the wheel group has more permissions than any other group. I don't know a quick way to have the system show whether being a member of the wheel group provides ALL the permissions that the root user has, but I can tell you that on my mac, the only member of WHEEL is root. That information is provided by entering this into the command line:
dscacheutil -q group -a name wheel
SYSTEM - My installation of macOS Sierra has no group and no user named system.
ADMIN - users in this group are:
root, test. <default admin setup when osx is first run after installation>
A couple other groups that you might find of interest:
STAFF - members of this group can do most but not all the things unix can do . members of the staff group are:
root, <default admin setup when osx is first run after installation>
I am not sure, but I think the staff group can do almost anything the root account can do as a result of the sudo arrangement.
The sudo arrangement provides most superuser privileges to non superuser accounts via a sudo prefix on commands entered at the command line. Most descriptions falsely state that sudo provides all the privileges of the root user. Sudo works differently in different kinds of *nix and it is complicated.
DAEMON - in order for a daemon to run, the daemon group is going to need to have access to the file, to read and execute it. The only member of the daemon group is root, so why there is a separate group for daemon and why wheel is not used by convention, permissions are arranged defensively, that is, to limit damage if someone gets unauthorized access to a group or account. The idea is that a daemon can do to the system only what the daemon group can do. Since the only member of the group is the root user, the defense here would apply only if someone got to be a member of the daemon group without being the root user. In normal operation, it doesn't matter, but a lot of these groups and permissions are setup to protect the system from abnormal operation, where something is going wrong. I can tell you without looking that the daemon group has permissions that do not extend to all parts of the system. That is the general purpose for all the groups.
BACKGROUND
I can see two approaches to answering your question. One approach is to provide a rationale for the the existence of each of these groups. My first take on these groups is they all have powerful permissions that allow near, but not complete control of the system. That got me wondering why not just have one group instead of three? There must be a good reason, so what is the reason for their differences and then what are the details of of their differences? I will try answering that in a moment, but I can tell you know, I do not have a complete answer to that.
The other approach is to just look at exactly what permissions each of these groups have, especially what permissions each does NOT have, since all three of these groups have at least almost-all the permissions available on a *nix system. Understanding the permissions not granted to each of these groups is important to understanding why there are three groups instead of one for system admin. I will tell you what I know about the exact permissions each of these groups has.
The first thing in my mind to tackling this is make sure I have a handle on how permissions work in *nix. If you know that, and you can login as the root user on your system, which you can do on your mac, then you can just ask the system what permissions these groups have and which users are members of these groups. The catch on this the system's response is kind of complicated.
The root user is a member of the following groups (this information is listed as a result of typing this into the command line: groups root):
- wheel
- daemon
- kmem
- sys
- tty
- operator
- procview
- procmod
- everyone
- staff
- certusers
- localaccounts
- admin
- com.apple.sharepoint.group.2
- _appstore
- _lpadmin
- _lpoperator
- _developer
- com.apple.access_ftp
- com.apple.access_screensharing
- com.apple.access_ssh
- com.apple.sharepoint.group.1
Tracking down the permissions and other members of all those groups is going to a chore. I can envision a speadsheet with the groups wheel, admin, and staff across the top and a long list of system directories and files indicating permissions for each group in all the directories and files and from that trying to interpret intention for having three groups instead of one.
The default administrator on a mac, the account setup when the is first setup, is in these groups this information is listed as a result of typing this into the command line: groups <my username>): This basically is the mac owner's account
- staff
- com.apple.sharepoint.group.2
- everyone
- localaccounts
- _appserverusr
- admin
- _appserveradm
- _lpadmin
- _appstore
- _lpoperator
- _developer
- com.apple.access_ftp
- com.apple.access_screensharing
- com.apple.access_ssh
- com.apple.sharepoint.group.1
That looks like the default admin account is not in these groups that root is in:
- wheel
- daemon
- kmem
- sys
- tty
- operator
- procview
- procmod
i am going to cut this off here, because this is getting kind of long and really addressing all the whys for the groups you asked about would require clarity on all these closely-related groups as well. My hope is what I have written will provide something that makes sense and maybe leads to other questions and conversation in this forum.
If there is anything else you would like to know or have issue with anything I have written, please do not hesitate to let me know and I will respond the best I can.