My question is perhaps more philosophical than technical, but I'm hoping for informed opinions and understand there is no definitive or "best" answer.
A coworker and I disagree on AD (security) groups. I believe they should be a reflection of the organization: i.e. the "Sales" group should contain only people in the Sales department, and not contain folks from Finance that need to see some Sales data.
He says the opposite: Finance folks should be in the Sales group so they can get some reports or emails.
My motivation is that I develop software for our company, including our intranet. I routinely create dashboards and reports for people and departments. What I want is to say "give me all the members of the Service group" and get a list of all our service technicians, service managers, and such. He says that instead I should be looking at AD job titles, asking for all users that have an array of titles to reflect who works in the Service department (since we currently have Finance and Execs in the AD "Service" group).
I'm trying hard to see the validity of his point, but no matter what I consider, using groups in such the way he proposes is an anti-pattern. But that's not conducive to constructive conversation. I'm hoping some outside opinions my help me understand his position better.
How do you, as an IT professional think AD groups should be laid out and maintained (besides the well-accepted guidelines for OUs, nesting, and such)?
Thanks in advance for helping me avoid my own narrow-mindedness.