SharePoint permissions do not have to be managed with SharePoint groups, those lonely unmanaged completely removed from the rest of the enterprise collections of users. SharePoint has evolved to first accept Active Directory groups for permissions and now to accept roles via a claims provider.
Claims providers created in SharePoint can be used for adding claims to the security tokens of users when configuring permissions on secure objects like lists, sites, items and documents. When EmpowerID is the claims provider, it provides its dynamic polyarchical roles as a selection in the SharePoint People Picker.
How is this useful? Well, it's a lot easier to manage EmpowerID role memberships than SharePoint or even AD groups. EmpowerID roles can be managed dynamically by any attribute in any connected identity store (Active Directory, HR, CRM, ERP). Role locations as well can be mapped from any connected application so a user in the London OU in Active Directory will be mapped to the London role automatically.
By having management roles (the user's job(s)) and location in separate trees, you can define permissions very granularly. For example, you may only want IT managers in London to have access to the SharePoint site to review IT tasks in London. You simply pick from the two trees to get IT Admins in London.
You can even add a runtime decision by incorporating Attribute Based Access Control (ABAC) into the equation if you want to check your timecard system to only allow on-duty IT Admins to have access!
The advantage to all of this is that user's permissions are not static. Conservative estimates say that internal turnover is about 20% per year, meaning that 1 in 5 users will change jobs. Think of the last time you updated a SharePoint group....it is certainly not that often. Roles, however, are dynamic, reading from attributes that flow from within HR or any other authoritative source. If that IT Admin makes the mistake of starting in sales, she will automatically have her IT admin role revoked and new sales role(s) invoked. Permissions will change without IT having to lift a finger.