What a management user is permitted to do is determined by the roles to which the user is assigned. A system of includes and excludes based on the user membership determines to which role a user belongs.

A user is considered to be assigned to a role if:

  1. The user is:
  2. The user is not:

Exclusions take priority over inclusions.