Sitecore permissions are always a bit of a pain to figure out. You’ve got the question of inheritance of rights from parent nodes, and how role rights conflicts are resolved.
Well, these two links are particularly useful, I found:
- Assigning Access Rights
- The Inherit Access right
- … and the section of the Sitecore documentation that they’re in
There’s quite a lot of reading there, but it’s good content. The easiest way I’ve found for considering permissions is:
Unspecified (effectively no-access) is beaten by Inherited rules (variable) is beaten by Allowed (has access) which is beaten by Deny (No access).
In other words, an explicit Deny will block access to a user.
If there is a conflict between explicitly assigned roles, Deny wins.
If rights are assigned directly to a user (rather than a role) they win – though you shouldn’t be assigning rights directly to users. It’s unmanagable in the long term.