For years I've been engaged in the debate over using SharePoint or Active Directory groups for SharePoint permissions. There are pros and cons to each and I am pretty sure there is no perfect answer to which is better. However, I am pretty sure that role based access control to SharePoint solves the issues with both types of groups.
Here's why: you don't get token bloat with roles, you can create dynamic roles, you can run self service workflows for users to join roles, you can delegate role membership management to users, and you can use the roles for almost any other identity action.
EmpowerID makes role based SharePoint permissions possible by being a SharePoint Claims Provider for SharePoint 2010. As the identity provider for SharePoint, EmpowerID will pass a token that has all of a user's claims including both authentication and authorization. This means a user is authenticated into your network and navigates to a SharePoint site; SharePoint will check with EmpowerID to see if that user exists and what access she has.
Using WS-Federation, EmpowerID's Secure Token Service sends a token to SharePoint to authenticate that user. In addition, any additional authorization claims are embedded into the token so that the user has access to all of the sites that she should.
As the claims provider for SharePoint, EmpowerID's roles are inserted into the people picker for site owners to provide access. They see these roles right next to users and groups. If an end user wants access to a site, they can request access and EmpowerID can assign them to a role (depending on approval levels of course).
That's how it works but the magic is in defining the roles for the user. EmpowerID roles can be managed dynamically or delegated. The majority of roles are going to be based on our polyarchical system and dynamic. If you are in XYZ department in ABC location, you are in the XYZ role, the ABC role, and consequently the XYZ-ABC role. This keeps the number of roles from getting bloated, having to create one for each management role/location combination. These management roles can be based on any criteria: business unit, department, title, whatever fits your business.
Users can also request role membership. The EmpowerID workflows to make this happen can require varying levels of approvals based on who is requesting and what they are requesting. Some are automatic (book club member) some are severely restricted (earnings committee). The self service interface can be via EmpowerID or exposed in SharePoint.
Lastly, each role has an owner or owners who can manage the membership, either for approvals or to directly manipulate the membership of the role. Any role membership can be attested to, can be made temporary, or can require approvals.
Back to the SharePoint site owner, she doesn't have to worry about the membership of the roles. The three methods above of managing membership means that she just has to worry about which role should have access. Remember SharePoint groups are static and require manual intervention. AD groups' membership cannot be viewed in SharePoint so the site owner has no idea who she just granted access to. Each of these concerns is addressed with an EmpowerID role.
SharePoint is an invaluable tool for your business but managing it from within IT is burdensome. Too often, SharePoint is configured and accurate on day one and the permissions slowly deteriorate as site owners manage access manually. Fix this for them. Manage roles for your entire identity ecosystem and provide these roles to site owners to manage their site's access.
EmpowerID's standards based approach will give you SSO and role based SharePoint permissions. It is easy to manage and even easier once you start delegating. Your SharePoint implementation will become more robust and useful. Schedule an EmpowerID demonstration and see for yourself how your life can be easier.