1 You might belong to multiple groups. Every aPriori user belongs to at least one group: All Users. But your administrator has probably also made you a member of one or more other groups that reflect something like your region, or the project(s) you work on, or the type of work you do.

2 In general, to have particular access permission to a particular entity, you must belong to at least one group that grants that permission, and not belong to any group that denies that permission. (However, administrators can tweak this rule so that grants and denials are strengthened or weakened.)

3 The most restrictive permission is the one that counts. For example, you might belong to one group that allows you to update a component, and to another group that explicitly prohibits you from updating that component. In this case, the "deny" permission takes precedence and you will not be able to update the component.