For those of us who have been doing this for a while, we have learned that there really is a right way and wrong way of working with users and groups. While working on the JIRA certification exam, however, I discovered that there is no published documentation on the subject. So consider this a permissions best practice article from someone who helped write the certification.
As a tl;dr, you should use roles whenever possible. With that established, I’ll go into a bit more detail.