Users unable to determine who has access to document library due to security groups

Hi, 

A good practice is to grant the minimum permissions required to get the work done and to assign permissions at the highest possible level, as well as to separate content with distinct permissions into separate libraries/site collections… that’s the theory.

In practice, as you wrote, situations vary: there are power users, exceptions, and temporary needs. It seems to me that a lot depends on the policy you define—for example, exceptions are managed only by IT, which, based on a request, maintains a register and grants additional permissions according to its own scheme (who, where, for how long, etc.).

If you are more focused on users managing these permissions themselves, then appointing site owners and training them to use SharePoint groups instead of Security Groups, as far as I remember, provides greater transparency for users in terms of who belongs to which group, and so on. Entra ID groups offer better performance (related to indexing, as I recall) and centralized management, but they require permissions outside of SharePoint to manage them. Additionally, from an IT perspective, it is worth conducting periodic audits of sharing links and exceptional permissions to identify and remove outdated or excessive access as staffing and project structures change. The sites themselves should also be covered by top-level policies defining access rules, etc.

I hope this helps you somehow in finding the solution that works best for you.