There are two types of permissions: class-based and object-based. The class-based permissions can be set here. The object-based permissions can be set by users which have write-access to an object. If a user requests an operation access must be allowed class-based as well as object-based in order to perform the specific operation.
Each permission consists of one allow and one deny list. In the allow list user and roles can be white listed and in the deny list they can be black listed.
The access will be granted based on the following rules: