A user's security permissions are often determined by the groups the user belongs to - it's quicker that way, and easier to make changes. Groups usually define the security settings for users who perform particular roles - for example, Authors, Editors, or Developers.
If there is a conflict between permissions inherited from two different groups, the least restrictive permission is used.