Policies
Similar to Permissions, Policies control what a user can do in the system as a whole, as opposed to individual items of information.
Policies should be set on a group basis. Although you can set policies on individual users, it is recommended you only do this in exceptional circumstances. Defining policies by role, rather than by individuals, simplifies administration.
Users can belong to more than one group. Policies for a user are calculated by using all the settings for all the groups they belong to. All the Allows are summed together, then all the Denies are summed together. If a user has an Allow but not a Deny, then they are given that policy.
There is no need to specify an allow or deny for each policy. If membership of a group does not affect policy, leave both the Allow and Deny boxes unchecked. Check the Allow box only if users are allowed to have this policy, and the Deny box only if they are definitely not allowed.
In general you should try and just use the Allow box. Using too many Denies becomes very confusing and makes future changes more difficult. Deny is mainly useful for setting up anonymous access (without a login) to the system, where you would explicitly deny access to virtually everything.