In Gateway Authentication, Command Groups defined in the Permissions section of a Role or User definition act as a permissions filter.
It's not clear from the Authentication configuration screen but using Command Groups in the User and Role permissions section doesn't pull in all the commands from that Command Group. In Authentication, Command Groups only permit the individual command listed if they are in one of the groups given. This allows for additional permissions filtering.
As an example, we have a commands group called "User Commands" in the Commands section of the Gateway Setup Editor with a command called "Simple PS"
Below we have a role called "Demo Role" with the following Permissions section, notice it has the "command" option defined.
The Command window shows the "/PLUGIN:sampleNow" command defined with Execute access. It also has the "User Commands" group defined in the Groups section.
As a result our jdoe user is unable to execute the "/PLUGIN:sampleNow" command despite having execute access. This is due to the "User Commands" command group not listing the "/PLUGIN:sampleNow" command, thus eliminating the user's sample now permissions.