A Discussion about Security

[Tsunami]

I'm trying to get a solid grasp on security setup.  I have it setup to what seems to work but after speaking with some colleagues, it seems that I could have a more effective method of setting security. 

Currently, I have created groups and assigned them capabilities.  This seems to work but I'm wondering if I could have better utilized the roles/groups that came prepackaged.

For instance, there are the roles of author, query user, consumer and reader.  Also, I have setup groups based on departments within my company (accounting, purchasing, etc).  I was thinking of removing all folder access from the roles and use only the groups to determine which folders can be access.  I was then going to use the roles to determine what capabilities these groups had in the folders they can access.

For example, I would have my accounting group only access the accounting folders/reports/packages within cognos connection (using only traverse?).  Then I would add the accounting group to 'consumers' to allow them to view the reports. 

My confusion comes from what 'permssions' (read/write/execute/traverse) and where they need to be granted.  Consumers already have read/execute/traverse granted in their role.  Now would I only need to add traverse rights to my accounting group and allow the consumer portion take care of what they can do in the areas they have traverse access?

For some reason that doesn't sound right...

I want to have several groups that are in the consumer role but want the groups to be able to access their respective packages/folders/reports. 

I think I'm having a major concept error and need some help getting everything straight.   Any help is very much appreciated.

[FM]

Simply read and understand this:

Cognos Access Permissions:
http://publib.boulder.ibm.com/infocenter/c8bi/v8r4m0/topic/com.ibm.swg.im.cognos.ug_cc.8.4.1.doc/ug_cc_i_AccessPermissions.html?resultof=%22%41%63%63%65%73%73%22%20%22%61%63%63%65%73%73%22%20%22%50%65%72%6d%69%73%73%69%6f%6e%73%22%20%22%70%65%72%6d%69%73%73%22%20

[Suraj]

Simple way is to do this:
1. Manage capabilities using roles.
2. Manage folder permissions using groups.

For folders, you have to give Traverse access to all who needs access along with 'Read' and 'Execute'.
If you deny 'Traverse', 'Read' and 'Execute' permission, users can't even see them.