Security in Celoxis works within a context. It can be set at two levels.

Company Level
Object Level

When a user performs any action in Celoxis, security is first checked at the Company level to see if the user has the privileges. If there is an explicit Grant/Deny privilege for that user, then the user is permitted/or not. If there is an "Unspecified" at the Company level, then the Object level security is consulted. If the Object level security too has an "Unspecified" then the action is Denied.

Company level

The security at the company level is applicable for all the projects, tasks, documents, time entries and expenses in the company. Company level policies should be defined at this level. Care should be taken when you set explicit Grants or Deny to ensure that this needs to be mandated as a Company policy. A Company level explicit Grant or Deny cannot be overridden at the Object level. To read on how to set company level privileges, please click here.

If a user plays multiple roles, and if ANY of those roles has an explicit deny, it will result in a Deny

Object level

Object level security allows the ability to set security for specific objects. For example, a View Financials privilege at the Company level for the role QA Lead may be "Unspecified", but for a specific project you may want your QA Lead (role) to have View Financial privileges. In that case you can grant them to the QA Lead at the Project level. To read on how to set project level privileges, please click here. For the other 3, go to the object. Click on More, then select Access Control.
You can set specific object level security for

Project
Task
Document / Folder
Discussion

Browser not supported