Initially a Users permissions are allocated to them via there Role usually allocated by a System Administrator. This level of permissions is the height of there powers, they cannot have any more access then that offered by there Role. However they can have diminished powers, based on the there membership...