Groups are sets of users, sets of other groups, or both. Groups enable you to more easily control security because you assign each group different activity rights and access privileges. Groups are created in the portal either by adding them individually as portal objects, or by synchronizing with authentication sources (user repositories such as LDAP or Active Directory).
You might want to have users automatically added to or removed from groups based on properties in their user profiles or other group membership. This is called dynamic group membership. For example, you might want to give users access to a community based on their location, title, department, or any other property in their profile. If you have a community for all the branches in Texas, you could set up a rule that states that all employees in Texas are part of the group. If an employee moves to Arizona, and the "State" property in her profile changes, the employee no longer satisfies this rule.
You can create groups inside a community without affecting portal groups. You create community groups so that you can easily assign responsibilities to community members. For example, you might have a group that is responsible for maintaining schedules in the community.
Community groups are available only within the community. However, you can make a community group available outside of the community by moving the group to a non-community administrative folder.
A role is not a portal object; it is an association between a group and the activity rights required to perform a job function. For example, the Knowledge Directory administrator role is not an object you define; it relates to administrative responsibilities for those who manage content in the Knowledge Directory.
Before you create portal groups for the purpose of assigning roles, you should familiarize yourself with the definition and scope of the administrative tasks you plan to delegate and the activity rights needed to complete those administrative tasks. Some users will handle many tasks, but those tasks might actually encompass several roles. Before creating a role to cover all these tasks, consider if there are situations where the tasks will be broken down into smaller roles. You can easily assign more than one role to a user.