Long answer:
Summary:
Authorization - set of { (user, resource, action) }
Premission - (resource,action) pair
Groups are sets of people (user)
Roles are set of permission
Explanation:
Groups and roles are a confused and mixed up concept. I have found that if there is any consensus it is that both are used to connect users and permissions (the ability to act on some resource). Ultimately all authorization is related to connecting a user, a resource, and and action; for example Jane and make a reservation on American Airlines flight 123... The user is Jane, the resource is AA 123, and the action is make reservation. Think of this as a big 3D table or matrix along one side we have users, along the other we have resources and along the third side we have actions. This becomes large really quickly. The more finely we divide the resources bigger the administration problem.
To make this matrix smaller we put similar user together into named buckets and call them groups. We combine resource and action and call permissions, and we combine sets of these permissions and call them roles. The idea being to make the sides (dimensions) of the matrix smaller. Now we can transform the old matrix to one of connecting roles and groups to manage authorization.
I have found that this way of thinking about he problem makes it manageable. Unfortunately the real world is complex and sometimes people want administer the system where they add users to roles and capability (resource and action) to groups and this expedience is what makes roles and groups so confusing.