Impact of Group Membership on Permissions

Users can be members of multiple groups. The system handles multigroup membership as follows:

Permissions are applied to inventory objects from the containing object to each of its child entities.
If a user has no explicit user-level permissions, group-level permissions apply as if granted to the user directly.
Membership in multiple groups with permissions on the same object results in a union of permissions.
User-level permissions always take precedence over group-level permissions.