GOSS iCM delivers a granular user management system which can be used to create any number of different user access levels and roles.
User privileges exist for every area of iCM, allowing you to create users who have full access to everything, can only edit existing articles, could create media items but not relate them to articles, perhaps have read-only access to forms but create and deploy workflow process models, have full edit privileges but not be allowed to delete any content, or any imaginable combination you can think of.
Once you have decided upon their privileges, users are then assigned content roots for the areas of iCM they can work in. This means you could create users who can view all articles, but only edit or create those in the "latest news" section, or give a user full article editing privileges, but prevent them from adding script inlines or using the forms template. The media library can be similarly restricted, so users could only be allowed to create PDFs, or create any media type, but only in a certain media group.
Users can also be organised into groups, but don't have to be. iCM groups have all of the same privilege and content root options as users, and every user who is a member of a group will inherit its settings. This means that users can be created very quickly, and added to groups, without the need to assign privileges directly to each of them.
Single sign-on allows iCM to authenticate users against an external source like Active Directory. This is most commonly used so that users can log into iCM using their domain username and password. See iCM Single Sign-On for more information.