Security groups are used to simplify data and resource access in a complex environment like Windows Server with Active Directory.
Data access rights are specified at the individual file level, then back “up” through the folder system using a mix of inherited rights and declared rights. Keep it simple, these really ARE just digitized piles of paper and folders.
If you have 10,000 files in 1,500 folders then changes in individually-based permissions force access to each affected folder/file. This is a real-time index update of each files’ properties. More likely you have hundreds of thousands of files in tens of thousands of folders.
Access is further subdivided by type: can you read it, change it, delete it? You should establish access permissions with client privacy and competitive advantage in mind.
Groups of users can be granted file and folder permissions. Any updating to group membership is done once at the group membership index level (Jan is in, Jim is out), and does not have to re-assert these new access permissions over and over at the file level.
Adding UserX to “Admin” group makes one change at net admin level; granting UserX individual access forces thousands of changes at file level.
Groups of Groups works too. The “Company” group might contain the “Staff”, “Admin”, “Principal” and “Board” groups but not the “Contractor” group. An “All User” group could then contain the “Company” and “Contractor” groups.
Groups allow rapid change to data and resource access status as individuals move in and out of groups.
Complication: “Most restrictive wins” is the idea that any limitation of access rights cancels any expansion of rights. If UserX is granted access to a file by group rights, but is individually denied rights at the file level then UserX cannot access the file.
Complication: Inherited permissions are supposed to leverage folder structure so that, for instance, all subfolders under Budget could mimic permissions of the Budget folder. You can, however, stop and start this inheritance so a mish-mash of rights may result.
Best Practice: Keep an updated inventory of users and group membership including the purpose of any group. Perform and log random access attempts to spot gaps and lapses.
UNSOLICITED BUSINESS RECOMMENDATION: Microsoft has never given any meaningful data-file organizational tools to its Windows Server admins… their approach is mechanical and clumsy. A third-party vendor Varonis re-processes this folder-centric system into a database that allows you to query dynamically, and visualize the actual permissions associated with a file and/or folder. They then provide tools to analyze and manage the data file collection.