Site wide access control is based upon role based access controls. Users can have multiple roles, and their permissions will be cumulative. Fine grained policy based access controls are on the development roadmap.
Current roles:
Anonymous user (no account)
Authenticated user (with account)
Publication creator - can create new publication
Publication manager - can view, edit, delete any publication in any state (draft, review, published, archived)
Group manager
Editor - can review and publish publications
App creator
App manager
System creator
System manager
Site manager
Administrator (Has all site wide privileges)
Only administrator can view and set users roles
All of the following tasks currently require Administrator role