A permission set represents the permissions for users that access ERA Web Console, they define what the user can do or see in the Web Console. Native users have their own permissions while domain users have the permissions of their Mapped security group.
ERA Web Console permissions are divided into categories, for example, Native Users, Certificates, Policies and so on. For each functionality, a given permissions set can allow for Read-only or Write/Execute access.
Read-only permissions are good for auditing users. They can view data but cannot make changes.
Write/Execute allows users with this privilege to either modify respective objects or execute them (when possible - for instance Tasks can be executed).
Next to permissions to ERA functionality, there can be give access to Static Groups or User Groups. Every User can be given access to either all or to subsets of Static Groups. Having access to certain Static Group automatically means access to every of its subgroups. In this case: