When defining permissions, whether it is a global permission or set on a particular project or configuration, you can either assign a role to a group or user, or assign specific permissions, or a mixture of both. Both roles and explicit permissions are designed to work together and Continua will figure out which permissions should be applied from both the role and explicit permissions list.
When you define permissions on a role, you are only able to assign allow permissions to that role. This was designed so that roles can be assigned with minimal fuss by automatically including all derived permissions as well. For example, if you assign edit configuration to a role, that role will automatically get view configuration as well. Without these automatic inclusions, if you forgot to add a single permission then it could hide a lot of the functionality of Continua. As in the previous example, without view configuration you would never be able to see a configuration to edit it!
These permissions can be overridden by using deny permissions. As stated previously, deny permissions are not available on roles but can instead be found in the Access Control, project security and configuration security sections. Deny permissions are powerful as they allow you to override specific permissions on specific parts of continua. They allow you to essentially prevent users from doing certain actions to particular projects or configurations. For example, Continua can be setup so that all users can edit all configurations. Within this environment is a "release" configuration which should only ever be edited by an administrator. This can be achieved by accessing the Configuration security section and setting the deny permission on Edit Configuration for all users except the administrators, as seen in the image below. By setting these permissions on the 'Release' configuration, any users in the 'Configuration Editors' group would not be able to edit or delete this configuration, even though they can modify all other configurations.
Deny permissions always override allow permissions so if there is ever a conflict, the deny permission will take precedence.