For each user, group, role, or computer you add to an account, you can use permission settings to control what they are allowed to do. However, some tasks require a specific combination of permissions. For example, users must have both the Delete and Checkout permission to delete accounts because they must be able to display or copy the password for an account before deleting it. To give other users the authority to configure a “request and approval” work flow, you must assign them both the Grant and Edit permissions.
Some tasks also require permissions for both the account you want to use and the system, domain, database, or service you want to manage. For example, if you have Edit permission for a set, you also need Edit permission for the members of that set. You can set member-level permissions for a set if you are working with a manual set. If the set is defined dynamically using a query, however, you need to set the member-level permissions using a global setting or on the individual set members.
In addition, the permissions available can vary depending on the type of account you have selected. For example, multiplexed accounts only support the Grant, Edit, and Delete permissions and require additional permissions for systems.