The fundamental permissions for a user are defined by their default role. The product comes with a few default roles (e.g. Developer, Project Lead, QA, Admin). The resources (or files and directories) a user has access to are defined at the group level. With this structure, you can have multiple projects with complex resource definitions and users will be able to perform their default role's permissions on those resources.
For example, let's assume we create two users. Bob with the role of Developer and Mary with the role of QA. Next we create a group named project1 and define what CVS directories that group has access to. Now Bob can perform write operations on those directories and Mary can perform read and tag operations.
