In preparation for a new project. I recently posted a pretty long list of groups-and-roles-centered use cases and integration requirements to the Sakai Confluence site. Rather than trying to keep two copies up-to-date, here's a pointer:

Sakai Federated Authorization Needs