What a management user is permitted to do is determined by the roles to which the user is assigned. A system of includes and excludes based on the user membership determines to which role a user belongs.
A user is considered to be assigned to a role if:
Exclusions take priority over inclusions.