The following permissions' rules are always valid:
Permission is the ability to process a method on an API.
Permission contains the type of permission (ApiUserPermission, ApiManagerPermission, ConfigurationManagerPermission), the name (interface's or config's name) and an action (method's name).
You are allowed to use the asterisk wildcard (*) to substitute all names - names of interfaces, configurations, or actions.
There is no hierarchy in permissions. The ability to set permission for users is also a permission (for some methods on PermissionApi).
The BEA AquaLogic Service Registry administrator has all permissions for all methods on all APIs.
Permissions are always positive. This means that permissions say what is possible or allowed. Permissions allow user to perform an action (some method on some API). Any action that is not expressly permitted is denied.
Permissions can be set for an individual user or for a group of members. Each user is member of the group system#everyone, therefore every user has the default permissions associated with this group.
For more information, see Data Access Control: Principles