Joined a new organization that just adopted sharepoint. to manage users, they've created three primary groups - SharePoint Owners, SharePoint Members, and SharePoint Visitors. The SharePoint Visitors group contains only one member - an Active Directory
group that contains all of the members of our department. The reson for this is so that when new employees join and old employees leave the Our Department Active Directory group, they automatically are added to the SharePoint group SharePoint Visitors and
have access to SharePoint and the appropriate permissions.
People from another Active Directory group (internal customers) are selected individually and placed in their appropriate groups.
Our department is broken down into 27 teams or "Tasks." Each Task has Task Members, Managers and Customers (and SharePoint groups to reflect those). Thus, our department has 81 user groups under it. On the site, all of the user groups except the owners are
given limited access, and can only read or contribute on a per Document Library or per Document basis.
In our Task Reports document library, the managers are given contribute status and the employees are given limited status. Employees are only given contribute access to the Task report for their specific task.
Here's a graphical map: