When assigning permissions in SharePoint arguably best way to doit is via SharePoint groups. The problem arises when you have to delegate the permission so "power" users (not administrators) start managing permissions and start dishing out explicit permissions and do a mix and match on site, library, folder and item level.
My method is really simple:
- You create all SharePoint groups you need in specific site
- You then set the person to manage permission as SharePoint group owner. This gives that user permission to add/remove users from that group and therefore assigning permissions in their site.
- If more than person is managing permissions, create a SharePoint group and add all "power" users to this group, let's call Access Administrators.
- You can then set SharePoint group Access Administrators to be owner of SharePoint group they use for giving other users to their site
- Note you might need to give or publish a direct link to SharePoint users as typically power users will not have access to Site Action therefore will not be able to navigate to Security Settings to open groups they own.
Example
Site: Finance
SharePoint Groups:
Finance Access Administrators (FAA), owner SharePoint Administrator, Contribute
Finance Visitors, owner FAA, Read
Finance Members, owner FAA, Contribute