It would be a great thing if it was possible to globally authorize/unauthorize software (as it is now) as well as modifying that by group. There are many times where certain groups of systems should or should not have a specific piece of software. As an example (and its just one of many) I am fine with IT having IT related tools (nmap, wireshark), but not ok for the rest of the enterprise having them. The same goes for various departments, they all have some bits of software that frankly no one else should be using.
The same thing could be said between a group that contains servers that may have a server related piece of software installed (Lets say MySQL, MS SQL, SFTP server) vs desktops which should never have these types of software installed.