The system manages users in its database. You control the privileges of users through the groups you assign them to. You assign privileges to groups, and then make each user a member of appropriate groups.
This is a role-based system—a group represents a role that a user can have in your organization. Roles have privileges. A user's privileges are the sum of the groups the user belongs to. You cannot assign privileges to individual users directly, only to groups.
The system also uses access groups for notification. When you configure the system to send notification messages, the target of the messages must be an access group. See Setting up notification.
Security privileges, or permissions, define what a group can do and see. They can serve as a filter of the group's experience of the system. For example, a user who is a member of the Guest group (and no other groups) sees only Projects that have the Guest group assigned as their Access property. That user can only launch projects with Guest access. If the user was also a member of the Developer group, he would see all the projects whose Access properties were either Guest or Developer.
The activities and resources that you can control with access groups are Permissions, Servers, Projects, Steps, and Access Groups.
This flexible model allows you to securely give one privilege (such as the ability to run builds) to some types of users, while restricting others (such as the right to edit projects or use certain servers).