As an example, let's consider that there is a requirement from an organization department A that they want to create a folder (CognosRpts) in the Cognos BI Connection window, which is accessible to all organizations but with the limitation that only their department should be able to modify the contents of that folder. Department B should be able to only access and run the reports to view the results of reports. Department C should only be able to access what is available in that folder, and not be able to modify or run the report.

In this scenario, we will first create a few groups or roles in the Cognos namespace under the Security tab. Let's create a folder and name it Test_Folder. We will create the new test folder, role, and group within Test_Folder. Now let's create three groups named Department A, Department B, and Department C. We will add the required users (or groups or roles) to these groups as and when required. Since our requirement was to allow Department A's users to be administrator users (with read, write, and execute permissions), first we will add all the required users to the Department A group. This may be done by opening Set Properties of the Department A group, opening the Members tab, and then adding users from any of the authentication providers (added using LDAP, AD, and so on). Even whole groups can be added to this self-created group.

Once we have added our required users to all these three groups: Department A, Department B, and Department C, we can proceed to the next step. This step is very important as here we will assign the permissions. We will now navigate to the CognosRpts folder and set its properties. In its Permissions tab, we will add all the three departments and assign the desired privileges. In Security Rights next to the Department A line, we will allow all permissions by selecting all the Allow checkboxes. In the Department B line, we will only check the Traverse, Read, and Execute checkboxes in order to meet the requirements. In the line next to Department C, we will only allow the Traverse permission. Next, the Apply button needs to be clicked. Now, the users of Department A have full rights to the CognosRpts folder; the users of Department B can read, traverse, and execute the contents of the CognosRpts folder; and the users of Departments C can only see the contents of CognosRpts.