Using sudo, you can define tons of ways for users or groups to be able to run (or not) some commands on some or all systems. You can setup that they may run commands as other users without needing their password. Or you can turn off passwords all together. However, as soon as you start building a list of commands that a certain user or user group can or cannot run, you create the possibility for knowledgeable
Perhaps, we should all use sudo to allow or deny general access to machines or users and use consolehelper to create ways for non-root users to run certain commands and give the means to DBAs to start/stop their own databases or application servers (read Apache, Jboss, Tomcat, etc.)
Consolehelper ties in with PAM to give you native, built-in, modular, Linux security that is almost infinitely configurable. You can use local user accounts, LDAP, NIS or any combination of limiting or allowing uses to do drastic things.