The Moodle access rights system is based around the concepts of contexts, capabilities, permissions, and roles. Let us first define these terms in the context of Moodle.
A capability is a system defined feature or action. For example, view course would be one capability. All capabilities are defined either by Moodle core or by third-party module(s).
Context is an abstraction representing part of Moodle. We have six predefined contexts and they are arranged in a hierarchical fashion with permissions inherited from higher to lower contexts. Here is the list of existing contexts presented in order of importance from higher to lower:
System: This context represents the entire Moodle. Any role assigned at this level applies globally on the entire system. For example, if we assign the teacher role to a user he will have that role in every course and would be able to manage them as if enrolled in every one of them.
User: This context for a specific user...