Groups 
and roles represent collections of users
that perform similar functions, or have a similar status in an organization.
Examples of groups are Employees, Developers, or Sales Personnel.
Members of groups can be users and other groups. When users log
on, they cannot select a group they want to use for a session. They
always log on with all the permissions associated with the groups
to which they belong.
Roles 
in Cognos 8 have a similar function
as groups. Members of roles can be users, groups, and other roles.
The following diagram shows the structure of groups and roles.
Users can become members of groups and roles defined in third-party authentication providers, and groups and roles defined in Cognos 8. A user can belong to one or more groups or roles. If users are members of more than one group, their access permissions are merged.
You create Cognos groups and roles when
you cannot create groups or roles in your authentication provider
groups or roles are required that span multiple namespaces
portable groups and roles are required that can be deployed
In this case, it is best to populate groups and roles in the third-party provider, and then add those groups and roles to the Cognos groups and roles to which they belong. Otherwise, you may have trouble managing large lists of users in a group in the Cognos namespace.
you want to address specific needs of Cognos 8 administration
you want to avoid cluttering your organization security systems with information used only in Cognos 8
If you have configured the Cognos Series 7 authentication
provider 
, user collections known as user classes in Series 7
appear as roles in Cognos 8. You can access Series 7
and Cognos 8 using a single logon. If you start your session
by logging on to Series 7, and then access Cognos 8,
you automatically assume the roles that were in effect for you in
Series 7 when you first logged on. You cannot assume different
Series 7 roles.
Users can assume different roles in Series 7 after they access Cognos 8.
The roles used to run reports and jobs are associated with the
users who run the reports interactively , who are the report owners, and whose credentials
are used to run scheduled reports and jobs . Depending on the options selected to run
reports, different roles can be assumed by the process.
When a report runs that has the run as
the owner option selected, the process assumes all the roles associated
with the report owner .
When a scheduled report or job runs, the session assumes all
the roles associated with the user whose credentials were used to
process the request .
In some namespaces, such as Microsoft Active Directory, a distribution list may appear on the Members tab of the Set properties page for a group or role. However, you cannot add distribution lists to a group or role membership, and you cannot use them to set access permissions for entries in the Cognos 8 user interface.
You can add a Cognos distribution list to a Cognos group or role membership using the Software Development Kit (SDK). However, the SDK cannot be used to add an Active Directory distribution list to an Active Directory group. The Active Directory management tools must be used to do this.
If you are configuring security for Cognos 8 Cognos Controller, you use Cognos Controller groups and Cognos Controller roles. For information about using these groups and roles to configure security, see the Cognos Controller Installation and Configuration Guide.
The members of Cognos groups can be users or other groups. The members of Cognos roles can be users, groups, or other roles. You can add entries from multiple namespaces, created both in the authentication providers and in Cognos 8, as members of Cognos groups. You can also create empty groups that do not have any members.
If you plan to create groups or roles that reference entries from multiple namespaces, you must log on to each of those namespaces before you start your task. Otherwise, you will not have full administrative rights for the entries you want to reference.
To access the directory administration tool, you must have execute
permissions for the directory secured feature and traverse permission
for the administration secured function .
We recommend that you use the Cognos groups and roles when you
set up access permissions to entries in Cognos 8 because
it simplifies the process of deployment .
When you delete a Cognos group or role, users’ access permissions based on it are no longer active. You cannot restore access permissions by creating a group or role with the same name.
In Cognos Connection, in the upper-right corner, click Launch, Cognos Administration.
On the Security tab, click Users, Groups, and Roles.
Click the Cognos namespace.
Tip: If you want to delete a Cognos group or role, select the check box next to it and click the delete button.
On the toolbar, click the new group 
or new role 
button.
In the Specify a name and description page, type a name and, if you want, a description for the new group or role, and then select a destination folder and click Next.
If you want to create a group without members, click Finish.
If you want to add members to the new group or role, click Add and choose how to select the users, groups, or roles:
To choose from listed entries, click the appropriate namespace, and then select the check boxes next to the users, groups, or roles.
To search for entries, click Search and in the Search string box, type the phrase you want to search for. For search options, click Edit. Find and click the entry you want.
To type the name of entries you want to add, click Type and type the names of groups, roles, or users using the following format, where a semicolon (;) separates each entry:
namespace/group_name;namespace/role_name;namespace/user_name;
Here is an example:
Cognos/Authors;LDAP/scarter;
Click the right-arrow button and when the entries you want appear in the Selected entries box, click OK.
Tips: To remove entries from the Selected entries list, select them and click Remove. To select all entries in a list, click the check box in the upper-left corner of the list. To make the user entries visible, click Show users in the list.
Click Finish.
You can modify the membership of a Cognos group or role by adding or removing members.
When you remove users, groups, or roles from a Cognos group or role, you do not delete them from the authentication provider or from Cognos 8.
If you plan to modify groups or roles that reference entries from multiple namespaces, you must log on to each of those namespaces before you start your task. Otherwise, you will not have full administrative rights for the entries you want to modify.
To access the directory administration tool, you must have execute
permissions for the directory secured feature and traverse permission
for the Administration secured function .
In Cognos Connection, in the upper-right corner, click Launch, Cognos Administration.
On the Security tab, click Users, Groups, and Roles.
Click the Cognos namespace.
In the Actions column, click the properties button for the group or role whose membership you want to modify.
Click the Members tab.
If you want to add members, click Add and choose how to select members:
To choose from listed entries, click the appropriate namespace, and then select the check boxes next to the users, groups, or roles.
To search for entries, click Search and in the Search string box, type the phrase you want to search for. For search options, click Edit. Find and click the entry you want.
To type the name of entries you want to add, click Type and type the names of groups, roles, or users using the following format, where a semicolon (;) separates each entry:
namespace/group_name;namespace/role_name;namespace/user_name;
Here is an example:
Cognos/Authors;LDAP/scarter;
Click the right-arrow button and when the entries you want appear in the Selected entries box, click OK.
Tips: To remove entries from the Selected entries list, select them and click Remove. To select all entries in a list, click the check box in the upper-left corner of the list. To make the user entries visible, click Show users in the list.
To remove members from a Cognos group or role, in the Set Properties page, specify which users, groups, or roles to remove, and click Remove.
Click OK.
