What is important to understand is that capabilities are assigned within the definition of a role. However, roles are assigned for a specific context. For example, if a given user has the "manager" role at the system level, that role will stay defined for all contexts that are in the context tree below (in other words system-level roles normally apply anywhere). If a given user is assigned, for example, the "teacher" role in the context of a course, that is defined only within that course. The effective capabilities of doing something are a sort of bitwise sum through all roles active for user in a given context, including inheritance and overwrites at each level (unfortunately, the page describing this is removed from docs How_permissions_are_calculated).