Permissions are used to control what users are allowed to see and do.
Given that there may be a large number of users on a site, it is not practical to assign permissions directly to users. Instead, persmissions are assigned to usergroups, and each user is made a member of a usergroup. Then, when a change needs to be made to the permissions for all the members of a usergroup, just one change needs to be made, and it will affect all members of the usergroup.
Users can be members of several usergroups at the same time. In such cases, all their 'allow" permissions are added together. This means that if a user is a member of two groups, where one "denies" a certain permission, and the other group "allows" it, the "allow" permission takes precedence.