what is the best approach for assigning permission levels in SharePoint?
One recommendation is to use AD groups or SharePoint groups that contain AD groups rather than individuals to control access. It's much easier to clean up AD group membership when an individual leaves than to track down all the places where you've given them individual access (including membership in SharePoint groups).
Most Intranet based organizations use Active Directory to manage user profiles and authentication process in the network. In SharePoint, Active Directory has been used to authenticate users and build user profiles using basic personalization features. This means that if the organization uses Active Directory, SharePoint becomes a great browser-based tool in which to work because a user who logs in to the domain does not typically need to enter credentials again to access a SharePoint site. This is because when the system administrator configured the SharePoint server, it was added as a member of your Active Directory domain. Therefore, when you enter your username and password to connect to the network, the SharePoint environment recognizes you as a member and therefore does not require you to specify your username and password again. In addition, SharePoint allows you to connect to sites based on your site group membership and retains your permissions as you access various other Windows-based systems such as file shares or printers. Most users prefer this type of experience because it can be tedious and confusing to manage both multiple usernames and passwords.
See here how to Add Active Directory Group to sharepoint.
Advantages of Active directory group over sharepoint group:
> Members of this group can be managed within Active Directory. Only Active Directory administrators have the permission to modify group memberships. Normally created and maintained by the IT department.
> AD Groups can be nested - e.g. you can add another AD Group as a member to an existing AD group
> It can be used across different SharePoint sites and site collections.
> There is no need of depth knowledge of sharepoint, A network guy can implement this.
If AD groups are used in sharepoint group then generally it is required to get the sharepoint group for AD User. You can get all AD groups from a user using following:
http://urenjoy.blogspot.com/2009/04/getting-active-directory-groups-from.html and use the AD Groups as a sharepoint user to get the sharepoint groups for checking role/permissions.
However, in organizations with thousands of users, it’s more realistic to add Active Directory security groups to a SharePoint site group. This not only reduces administrative overhead when you first set up a site, but also means the site’s membership stays up-to-date as new users join or leave the organization. As you add users to the Active Directory security group, they are automatically assigned to the SharePoint site group that has been associated with the security group.