Groups are used to manage a common set of attributes and role mappings for a set of users. Users can be members of zero or more groups. Users inherit the attributes and role mappings assigned to each group.
You can also create groups to help manage and assign roles to large sets of related user groups (for example, all members of the sales team are in the “Sales” group).
Groups are hierarchical. A group can have many subgroups, but a group can have only one parent. Subgroups inherit the attributes and role mappings from the parent. This applies to the user as well. So, if you have a parent group and a child group with a user that only belongs to the child group, the user inherits the attributes and role mappings of both the parent and child. For example, we have a top level Sales group and a child North America subgroup. If the parent Sales group has Y role and the North America subgroup has X role, then the user of the North America child subgroup will have both X and Y roles.
Groups versus roles
Groups are a collection of users to whom you can apply roles and attributes in one place. Roles define a type of users, and applications assign permissions and access control to roles.
Composite roles are similar to groups. They provide the same functionality, but the difference is conceptual. Composite roles should be used to apply the permission model to your set of services and applications. Groups should focus on collections of users and their functions in your organization. Use groups to manage users. Use composite roles to manage applications and services.