After experimenting with a lot of different configurations, we eventually landed on creating Repository Groups to handle our permissions, and we then associate those groups with AD groups.
This approach has worked pretty well for a number of reasons, however, things do get a bit tricky when it comes time to retire a group so a couple features I'd really love to see are the following:
- Disable/Enable a Repository Group as you would a user
Generate a list of entries with explicit rights for the selected group
Item 1 would allow us to turn a group off to make sure nothing breaks before we delete it entirely making for an easier/safer process because we could just turn it back on if something goes wrong instead of having to recreate the permissions or memberships depending on how it was "disabled."
Item 2 would let us know whether or not a group is even still in use (similar to how deleting a field first checks if it is assigned to any documents). Things evolve over time and old groups are effectively retired, but without a clear way to check, people end up being overly cautious and leaving everything.
UPDATE: Per Miruna's post, Item 2 can be accomplished with an entry access report generated from the Client.