A role is used to group and manage permission access to admin users.
Permission is based on module access, with allow and deny rules.
For example posts list module path is content/posts you can view the module of a page in the url.
To allow access to this module just add the path in the allow list, to deny access add it to the deny list.
You can also use wildcards to deny access to a whole group of modules,
For example content/* will apply to all actions in posts lists, post edit and post comments.
content/*/delete will apply to delete action for all content modules like posts, comments, categories etc.
*/delete will apply a global rule for all modules delete action.
You can use * wildcard to allow/deny multiple modules.
Ex: content/* will apply for all content modules like post and page add/edit, menu categories etc
To deny saving for content modules use content/*/save this rule will apply for save actions for content modules, and editing and adding posts/pages/categories etc will be denied.
To deny delete for all modules use */delete this rule will apply for delete actions for all modules.
Allow list is checked first then the deny list, if a rule allows access a deny rule can limit it.
For example you can add access to products section with products/* and only restrict product categories and delete with products/*/delete and product/categories deny rules.
With plugins/* you can restrict or allow access to plugins section and all plugins settings.
With plugins/contact-form you can restrict or allow access only to a specific plugin.