DotCMS objects often adopt their role-based permissions via hierarchical permission inheritance. Access to dotCMS objects can be controlled through the use of Roles and "inheritable permissions" from "parent objects", namely the System Host, Sites, Folders and Content Types (see diagram below). An object will only receive "inherited" permissions from its nearest "parent object" that has individual permissions set on it. Meaning, that if a Site has a particular set of permissions, and a Folder on that site has it own permissions, then File Assets, Pages, etc., that reside in that Folder will inherit permissions from the Folder instead of the Site.
Inheritance is optional. Each object can be still permissioned individually if you wish. But, if permission inheritance is set up correctly, it is possible to make child content/objects either editable or hidden to content contributors based on the role permissions given to the parent objects. Webmasters can set up parent objects so that they pass on their permissions to child objects so that the webmaster does not need to worry about permissioning each child object individually.
To learn more about applying permissions on a specific type of dotCMS object, please see the Object Permissions documentation.