Users are granted membership to one or more groups, groups in turn are granted one or
more roles. Administrators can allow and deny actions on the system and for individual
objects by assigning permissions to roles, and granting and revoking roles for appropriate
groups of users. Administrators can also create restriction filters to limit the table data
that a user or group can view.