Users have restricted access to the data, that are granted by the admins.
Those restrictions are separated by Entity and for each Entity separated by Read, Create, Update, Delete and Read Logs.
Roles are groups of users that have the same permissions.
Only admins can maintain roles and it's permissions.
Users may have roles and inherit it's permissions, but may also have individual permissions.
Only admins can grant individual user's permissions.