Sitecore permissions are always a bit of a pain to figure out. You’ve got the question of inheritance of rights from parent nodes, and how role rights conflicts are resolved.

Well, these two links are particularly useful, I found:

• Assigning Access Rights
• The Inherit Access right
• … and the section of the Sitecore documentation that they’re in

There’s quite a lot of reading there, but it’s good content. The easiest way I’ve found for considering permissions is:

Unspecified (effectively no-access) is beaten by Inherited rules (variable) is beaten by Allowed (has access) which is beaten by Deny (No access).

In other words, an explicit Deny will block access to a user.

If there is a conflict between explicitly assigned roles, Deny wins.

If rights are assigned directly to a user (rather than a role) they win – though you shouldn’t be assigning rights directly to users. It’s unmanagable in the long term.

Simple, right?