When would you typically use groups versus roles for access management, and what are the benefits?

In access management, using groups and roles together lets you separate who you are from what you can do. Groups are about organizing people who share access needs; they bundle users so you can grant or revoke access to resources in one place. Roles define a specific set of permissions or privilege scopes, so you can assign a role to a user or let them assume it to perform particular tasks. The combination brings clear benefits: provisioning is simpler because adding or removing a user affects all resources tied to the groups they belong to; roles enforce least privilege by granting only the necessary permissions for a task, and they create an auditable trail since role assignments and role assumptions are trackable. Roles also support temporary or cross-account access when needed. The idea that groups grant unlimited access isn’t accurate, because permissions come from how groups and roles are used together; simply belonging to a group doesn’t imply limitless rights. Roles don’t determine authentication methods—the authentication step verifies identity, while roles govern what you’re allowed to do after you’re authenticated. And groups don’t replace roles; they serve a complementary purpose by organizing users and simplifying membership management while roles define the actual permission scope.