I often hear people using the terms group and role as if they are completely different things while I would argue that they are the same thing.
A role is function assumed by a person or thing in a particular scenario. A group is a number of things considered similar. One might correctly assume then that a role is a group of users or ACLs applied to a user.
Now wait a minute, you say, those are two different things. Yeah, sure, they are, but a group without ACLs is nothing. A role without ACLs is a group. Therefore, a group is a role.
The issue is that roles are controlled within an application to group together ACLs that are then applied to users and groups which may or may not be retrieved from a directory and then administrators start assigning groups and users to roles because somebody thought it would be a good idea to provide the functionality to do so. This only makes things more complicated and harder to manage.
Simplify your application and infrastructure. Start thinking in terms of logical containers of N number of users with specific ACLs applied equals a role (aka group).