Groups 
and roles represent collections of users
that perform similar functions, or have a similar status in an organization.
Examples of groups are Employees, Developers, or Sales Personnel.
Members of groups can be users and other groups. When users log
on, they cannot select a group they want to use for a session. They
always log on with all the permissions associated with the groups
to which they belong.
Roles 
in IBM Cognos 8 have a similar
function as groups. Members of roles can be users, groups, and other
roles.
The following diagram shows the structure of groups and roles.
Users can become members of groups and roles defined in IBM Cognos 8, and groups and roles defined in authentication providers. A user can belong to one or more groups or roles. If users are members of more than one group, their access permissions are merged.
You create Cognos groups and roles when
you cannot create groups or roles in your authentication provider
groups or roles are required that span multiple namespaces
portable groups and roles are required that can be deployed
Create the required groups and roles in your authentication provider, and add them to the appropriate Cognos groups and roles.
you want to address specific needs of IBM Cognos 8 administration
you want to avoid cluttering your organization security systems with information used only in IBM Cognos 8
If you have configured the IBM Cognos Series 7 authentication
provider 
, user collections known as user classes in Series 7
appear as roles in IBM Cognos 8. You can access Series 7
and IBM Cognos 8 using a single logon. If you start your
session by logging on to Series 7, and then access IBM
Cognos 8, you automatically assume the roles that were
in effect for you in Series 7 when you first logged on.
You cannot assume different Series 7 roles.
Users can assume different roles in Series 7 after they access IBM Cognos 8.
The roles used to run reports and jobs are associated with the
users who run the reports interactively , who are the report owners, and whose credentials
are used to run scheduled reports and jobs . Depending on the options selected to run
reports, different roles can be assumed by the process.
When a report runs that has the run as
the owner option selected, the process assumes all the roles associated
with the report owner .
When a scheduled report or job runs, the session assumes all
the roles associated with the user whose credentials were used to
process the request .
In some namespaces, such as Microsoft Active Directory, a distribution list may appear on the Members tab of the Set properties page for a group or role. However, you cannot add distribution lists to a group or role membership, and you cannot use them to set access permissions for entries in the IBM Cognos 8 user interface.
You can add an IBM Cognos distribution list to an Cognos group or role membership using the Software Development Kit (SDK). However, the SDK cannot be used to add an Active Directory distribution list to an Active Directory group. The Active Directory management tools must be used to do this.
For IBM Cognos 8, use IBM Cognos Controller groups and roles to configure security. For information about using these groups and roles to configure security, see the IBM Cognos Controller Installation and Configuration Guide.
The members of Cognos groups can be users or other groups. The members of Cognos roles can be users, groups, or other roles. You can add entries from multiple namespaces, created both in the authentication providers and in IBM Cognos 8, as members of Cognos groups. You can also create empty groups that do not have any members.
If you plan to create groups or roles that reference entries from multiple namespaces, you must log on to each of those namespaces before you start your task. Otherwise, you will not have full administrative rights for the entries you want to reference.
We recommend that you use the Cognos roles and roles when you
set up access permissions to entries in IBM Cognos 8 because
it simplifies the process of deployment .
When you delete an Cognos group or role, users’ access permissions based on it are no longer active. You cannot restore access permissions by creating a group or role with the same name.
To administer users, groups, and roles, you must have execute
permissions for the Users, Groups, and Roles secured
feature, and traverse permissions for the Administration secured
function .
In IBM Cognos Connection, in the upper-right corner, click Launch, IBM Cognos Administration.
On the Security tab, click Users, Groups, and Roles.
Click the Cognos namespace.
Tip: If you want to delete an Cognos group or role, select the check box next to it and click the delete button.
On the toolbar, click the new group 
or new role 
button.
In the Specify a name and description page, type a name and, if you want, a description for the new group or role, and then select a destination folder and click Next.
If you want to create a group without members, click Finish.
If you want to add members to the new group or role, click Add and choose how to select the users, groups, or roles:
To choose from listed entries, click the appropriate namespace, and then select the check boxes next to the users, groups, or roles.
To search for entries, click Search and in the Search string box, type the phrase you want to search for. For search options, click Edit. Find and click the entry you want.
To type the name of entries you want to add, click Type and type the names of groups, roles, or users using the following format, where a semicolon (;) separates each entry:
namespace/group_name;namespace/role_name;namespace/user_name;
Here is an example:
Cognos/Authors;LDAP/scarter;
Click the right-arrow button and when the entries you want appear in the Selected entries box, click OK.
Tips: To remove entries from the Selected entries list, select them and click Remove. To select all entries in a list, click the check box in the upper-left corner of the list. To make the user entries visible, click Show users in the list.
Click Finish.
You can modify the membership of an Cognos group or role by adding or removing members.
When you remove users, groups, or roles from an Cognos group or role, you do not delete them from the authentication provider or from IBM Cognos 8.
If you plan to modify groups or roles that reference entries from multiple namespaces, you must log on to each of those namespaces before you start your task. Otherwise, you will not have full administrative rights for the entries you want to modify.
To administer users, groups, and roles, you must have execute
permissions for the Users, Groups, and Roles secured
feature, and traverse permissions for the Administration secured
function .
In IBM Cognos Connection, in the upper-right corner, click Launch, IBM Cognos Administration.
On the Security tab, click Users, Groups, and Roles.
Click the Cognos namespace.
In the Actions column, click the properties button for the group or role whose membership you want to modify.
Click the Members tab.
If you want to add members, click Add and choose how to select members:
To choose from listed entries, click the appropriate namespace, and then select the check boxes next to the users, groups, or roles.
To search for entries, click Search and in the Search string box, type the phrase you want to search for. For search options, click Edit. Find and click the entry you want.
To type the name of entries you want to add, click Type and type the names of groups, roles, or users using the following format, where a semicolon (;) separates each entry:
namespace/group_name;namespace/role_name;namespace/user_name;
Here is an example:
Cognos/Authors;LDAP/scarter;
Click the right-arrow button and when the entries you want appear in the Selected entries box, click OK.
Tips: To remove entries from the Selected entries list, select them and click Remove. To select all entries in a list, click the check box in the upper-left corner of the list. To make the user entries visible, click Show users in the list.
To remove members from an Cognos group or role, in the Set Properties page, specify which users, groups, or roles to remove, and click Remove.
Click OK.
