Drupal uses roles and permissions to control user access. There are default roles like authenticated user, administrator, and manager. Permissions are set at the People > Permissions page and control actions like accessing admin pages, commenting, and custom permissions for modules. New roles need permissions assigned and permissions should be checked when new content types or modules are added.

1. Roles and Permissions in
Drupal

2. admin
User Account

3. admin
User Account

4. admin
RolesUser Account
authenticated user
administrator

5. admin
Roles
authenticated user
administrator
User Account

6. admin
Roles
authenticated user
administrator
manager
editor
User Accounts

7. admin
Roles
authenticated user
administrator
manager
editor
User Accounts Permissions
Administer comments and
comment settings
View comments
Post comments
Skip comment approval
Edit own comments

8. The permission are set at People > Permissions
All non-anonymous users are authenticated users and as such get the permissions of the
authenticated user role automatically.

9. Trying to access an admin page (/admin) as users with different roles
/admin and its subdirectories can only be accessed by users with a role that has the "Use the
administration pages and help" permission.
Anonymous (= not logged-in)
user:
Authenticated user without the roles
"administrator" and "manager":
Authenticated user with the role(s)
"administrator" and/or "manager":

10. If adding a new role down the road, remember to give it permissions!
Only the permissions of the authenticated user role will be applied automatically.

11. Also remember to check the permissions whenever you create a new content type or install a
new module