A ACE user is given an access role containing access functions. The access functions define exactly which ACE functions the user is able to utilise. An overview of the Access roles window, and the full description of how to manage an access role and its access functions, are found in Basics about access roles.
An access function consists of two parts:
If you are entitled to Modify user
, you can e.g. change the surname and first name in a user accounts.
If you are entitled to e.g. View user, you can see a person’s surname and first name but not change the names in the user account.
All described in The list of all access functions.
 An example...
An example...
            The operation is Modify.
The object type is System global address book.
There is an access function named Modify system global address book.
A user with an access role that contains Modify system global address book can change the content of a system global address book.
However, the user cannot create or delete such an address book. This would require the more powerful operation Own. The user’s role would have to contain the Own system global address book access function.