How are permissions, roles, groups, and admin accounts related?

Permissions are granted through roles or groups, and these roles are assigned to groups so all members of a group share the same set of capabilities. Admin accounts are tied to a single group, so each user inherits the group’s roles and the permissions those roles define. This creates a clean, centralized way to manage who can do what: define a role as a bundle of permissions, attach that role to groups, and place admins into the appropriate group to receive those permissions. If permissions were set directly on individual admins, management would become scattered and harder to update; if roles were not tied to groups, there would be no straightforward way to apply a role to many users at once; if an admin belonged to every group, they’d gain every permission, defeating the purpose of scoped access.