Check out http://docs.moodle.org/en/Roles_and_capabilities and http://docs.moodle.org/en/Development:Roles
- Moodle has a huge list of "capabilities", which represent types of actions a user might perform (e.g. create a course, view a course, edit a course, grade an activity, edit your own user profile, edit someone else's user profile, etc).
- Moodle contains a number of "roles" (e.g. Administrator, Teacher, Student, Guest, Authenticated User) , each of which has different "permissions" (allow/deny settings) for those capabilities.
- The Moodle site is split up into "contexts": one context for each course, for each activity, for each category, for each user, and for the site as a whole.
- Users are assigned one or more roles in each context, and this determines what permissions they have in that context.
- Since some contexts are contained within other contexts (for instance, the categories are within the site as a whole, and the courses are within their categories), the roles a user has in a parent context are inherited into the child contexts.
- A set of inheritance rules determines what a user's actual permissions are within a given context, if they have multiple roles within that context that have conflicting permissions.