To access the DMS, users must be assigned to Groups, or to Roles. Permissions are assigned to Groups and Roles on the Folder level. Roles are used to assign permissions to specific users for specific tasks. Example Roles may be: Reviewer, Publisher, Writer, Editor, Developer, Secretary, Anonymous. In smaller organizations there are likely to be groups with only one user, e.g. the 'manager', and in this case the Group concept can be replaced entirely by the 'Role'.
Workflow actions, e.g. 'review', or 'publish', are typically assigned to a specific Role. The Role is granted permissions for working with the document, based on the type of tasks their role performs - e.g. reviewers need read and write permissions.
User Groups are allocated to Roles on a per-directory basis (by location), and are inherited from the root folder of the DMS. When assigning permissions or actions to Roles in a Workflow, you can use that Workflow anywhere in the site by assigning the appropriate Groups to it in that location.