In my last two jobs, which covers a span of ten years, we've used AD domain group authentication. For example MYCORP\DBA_Production, MYCORP\StoreOpsQA, MYCORP\MarketingBI. As employees are hired (or switched between teams), then let HR and executive management maintain group membership. You don't want the DBA in a large organization to be pestered with daily changes in (organizational) role membership.
Also, unless you're trying to protect highly sensitive data (ie: customer contacts or payments), then it's best not to get too granular. For example even if Jane Smith is the only person in DevOps who needs a particular PowerBI report against the production server, then grant permissions to all her peers in the DevOps team, because you never know when someone else may need to cover for her while she's out on vacation. The more groups and roles the DBA must manage, then more effort it requires, and the greater the chance for mistakes. When you have a database server with hundreds of group or individual logins, it's too easy for things to get out of hand.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho