Privileges control exactly what an iCM user is able to do. They exist for almost all menu items and actions in iCM and can be assigned directly to a user or passed to users via their group membership.
Privileges allow tasks to be carried out in the content areas set in the "Content" tab of this group or user. These content roots relate directly to the privileges that have been assigned to this group/user and are not cumulative.
For example, if a user is in one group that grants "Article view" and the content root "all articles", and in a second group which grants "article delete" but the content root is restricted to "latest news" articles, the user will be able to see all articles, but only delete those in the latest news section.
Similarly, if a user is in a general article editing group and also has the "publish immediate" privilege assigned directly to them, but no article content roots assigned to them, the privilege will have no effect. The user will edit and create articles based upon their group inheritance, and the user privileges won't apply to any content roots. If the user was assigned an article content root, "publish immediate" would apply to articles in that content root, but not in other areas of the site.
Note that some management privileges, such as iCM Groups and Users, Approval Requirements and Version Control Policies will, by their nature, give iCM users who are assigned such privileges wider access to, or visibility of, iCM content outside of their content roots.
Privileges are assigned using the "Select" and "Remove" buttons on the privileges tab. Assigned privileges can be selected using Ctrl+click or Shift+click if you need to remove more than one at a time.
Privileges are grouped by Content, Commerce, Management, System Configuration and Other.