We (http://gruntwork.io) are still establishing best practices around managing multiple AWS accounts, but so far having a single "admin" account where all IAM Users are managed seems like a best practice. You can then implement a nifty dropdown that allows IAM Users to easily switch accounts. [1] I'm not sure about how IAM Groups fits into this.
For IAM Roles, we use Infrastructure-as-Code (Terraform) to create all those anyway, so I still prefer to create those in the AWS account that contains the resources to which they apply.
Just for anyone wondering, as per joshpadnick's great suggestions, you can specify other AWS account's users/roles via Principal in a policy as well. Just use the other AWS account in the ARN. edit: if you want to do so via policies that is
I'd be interested to see your team's workflow for multiple accounts @joshpadnick.
For IAM Roles, we use Infrastructure-as-Code (Terraform) to create all those anyway, so I still prefer to create those in the AWS account that contains the resources to which they apply.
[1] https://aws.amazon.com/blogs/security/enable-a-new-feature-i...