Each user is assigned a security profile. The security profile defines which parts of the system a user can access and what they can do in each part of the system. All of this is customisable. You can give each user a unique security profile, or you can group users together and give them a profile aligned to their role.
The system comes set up with default security profiles. You can change these, or create new ones.
Typically, security profiles are set up depending on the role someone has. So a scrum master might have access to everything, but a product owner probably can't see the project financials and a team member probably can't edit a story map, or delete backlog items, but they can create new backlog items or edit existing backlog items.