Before setting up a new user, make sure the necessary Roles are defined. Add, remove, or modify Users through the Users button at the Portfolio Node level of the Portfolio Tree. Pick a user from the alphabetically-sorted selection list (the list can be narrowed using the filter at the top) or click the New User button. The system will tell you when you skip required fields.
Once you get through the basic contact information, edit or add roles under Role Memberships. Pick lists will show you the available Data Contexts (Data Source, Portfolios, Facility Groups, and Facilities). These are used to define the scope over which the role assignment will apply for that user. This is the way to restrict users to only the facilities applicable to their job requirements.
Information access is limited by Data Context, so that each user can see and work with only the relevant facilities.
Once you have set the Data Context, pick a Role from the drop-down list.
Roles for a single user can be applied against different Contexts, so that they overlap. For example, a user could have Read Privileges on a particular Security Domain for the entire Portfolio, and Modify Privileges in the same Security Domain for only one Facility Group.
Roles are additive. Adding a new Role to a User can only increase Privileges or leave them unchanged. It will never reduce User Privileges.