There's a great article by Adam Macaulay on MSD2D about using Cross-Site groups to manage your SharePoint users.  It's written from a CorasWorks perspective, but don't let thinking it's a promotional piece keep you from reading it -- it has lots of excellent information for the SharePoint administrator including a discussion of the types of permission management:  

"The first question is, what type of permission management can you use within a SharePoint Site? It comes down to four items:

  • First, there are individual users who can be added/edited/deleted from a site collection or a sub-site.
  • Second, there is an Active Directory group, which can be added/edited/deleted from a site collection or a sub-site.
  • Third, you can control access via a Cross-Site group which you can add/edit/delete from a site collection and then control access of this same group across your sub-sites.
  • Finally, there is anonymous access control, which allows you to give everyone access to a site collection and/or sub-sites."