Users rarely know what group they want, or even that they need to request a group membership. They know what they want to access -- a share, folder, SharePoint site, printer, mail DL, etc. One way to address this is to wait for users to try to access a resource, intercept the "access denied" error message and redirect the user to the appropriate request page, where they can see a list of groups with access to the resource and select an appropriate entitlement to request.

Hitachi ID Identity Manager includes technology to do just this, with plugin technology for the Windows shell (client side package for Windows PCs) and for SharePoint (extend the access denied dialog).

    Windows Shell Extension: Replacing the Native Access Denied Dialog