Why set groups in AuthenticationResult

The sample code SpringSecurityAuthenticationProvider.java at the link below,

there is a line which sets the groups in AuthenticationResult.

My understanding is that the user/group information comes from either existing Identity service which eventually come from Camunda user/group tables or customized identity service. We need to set user name to indicate which user authenticated. Then why set groups in AuthenticationResult? Does Camunda do the authorization based on the group info from AuthenticationResult or from user’s group membership which is from Identify Service (Camunda DB or external IDM)?