It depends how users are registering. For a consumer facing implementation like SaktiCoin, we'd recommend writing your own registration workflow in your portal, and when you've vetted the user, to POST to the SCIM `/Users` endpoint to create the account in the Gluu Server. Alternately, you can also consider using an interception script for registration. Take a look at [this example](https://github.com/GluuFederation/oxAuth/tree/master/Server/integrations/custom_registration)
While you are saying "Groups", I'd recommend you use the `role` attribute of the user. User claims can be passed to your application via an OpenID Scope.
Note: we do not recommend that you use the built in registration feature of oxTrust (i.e. if your using the registration under the `/identity` path). This is not safe, as oxTrust is better if it's not Internet facing. You don't want to worry about a privilege escalation attack enabling hackers to gain access to the admin interface.