Suppose you decide to have two roles: a director and an accountant. Further you decide that directors should be able to view projects and not approve expenses while accountants should be able to approve expenses and not view any project. To do this, you will need to :
Add users - e.g. Joe, Jim, Mary and Tom
Define the two roles - Director and Accountant. (ask your administrator to do this)
Add users to the appropriate roles e.g. add Joe and Jim to the Director role while add Mary and Tom to Accountant role
Grant the view project privilege and deny process expense privilege to Director, and vice-versa to Accountant role
Now when users playing a director role try to view a project, Celoxis Security System grants them the privilege. So, Joe will be granted privileges to view any project while Mary will be denied access. However, Mary will be allowed to process expense reports while Joe will be denied privilege.