Permissions are (loosely) based on the concept borrowed from UNIX file systems: Boxary objects (e.g. article, link, survey) have read, write and excecute access permissions. Those can further be restricted by roles, accounts and their owner.
For a typical Boxary object, one can set:
All Boxary objects will be stored in a tree (of objects). The tree has a root and objects are made accessible following the path from the root. This has implications when granting edit access: one should not be able to edit an object (even when originally created by self and/or being the current owner) unless having edit permission for the owning object as well. This is because the owning object is maintaining a list of its nodes. This gives the administrator a fine grained resolution.
All Boxary content Types do have their own tree. The sum of trees are not called the wood but the collection is referred to as groves. Cross references between the trees has implications when granting execute access: one should not be able to embed cross referenced objects when lacking execute access on them. This gives the user a fine grained privacy control.