We set up all our ldap based user groups, only to find you cant apply them to a location or organization. This seems like a no brainer when it comes to access control. There is an option to pick users, but not user groups. Am I missing something here?
So the goal would be that user groups would grant access to additional orgs/locs to users?
Yes, correct. You can already assign users to locations/orgs, but not groups, so why not?
What we have to do now is essentially create a hostgroup (that is really just acting like a location) assign a user group to it, then assign that host group to the location, to control access. It would be more advantageous and easier to just assign user groups to an org/loc. That way we dont have to fiddle with the host groups in between, which currently forces us to have to use a parent host group for every location to then assign a group to it and assign the host group to a location (or not). We are in the process of adding over 1000 locations 
. The infrastructure we’ve put in place spans some 90,000 servers over 5 organizations, through out I think 1,238 locations. That is going to mean a host group for every single one of those locations, just to control access.