Where are the different places where authorization groups can be assigned within the system? I'm trying to understand how flexible authorization groups are in controlling access in the system.