yes the groups need to belong in the database.
you users table should have a column that sets what group they belong to.
in the authenticate user behavior, go to the third step, you can select columns from your table that will be stored in a session, select the groups column so that the group will be stored in a session at login time.
you then have to configure the access rules for each group to compare the session that contains the users group
this is all covered in the user level authentication tutorial on the security assist support page, like i said perviously, it was written for SA1, but the concepts are identical in SA2.