There's a few ways of specify what users can and cannot do within SharePoint. The most blatent one is whether a user can actually access a site or not. Beyond that there are some very specific ways that Architects can control what users are allowed to do and ways that Administrators can manage the user base.
The most granular way is through using permissions. These are broken down into three groups:
But what are these pemissions? Well here's a list:
List Permissions
Description
Manage Lists
Create and delete lists, add or remove columns in a list, and add or remove public views of a list.
Override Check Out
Discard or check in a document which is checked out to another user.
Add Items
Add items to lists, add documents to document libraries, and add Web discussion comments.
Edit Items
Edit items in lists, edit documents in document libraries, edit Web discussion comments in documents, and customize Web Part Pages in document libraries.
Delete Items
Delete items from a list, documents from a document library, and Web discussion comments in documents.
View Items
View items in lists, documents in document libraries, and view Web discussion comments.
Approve Items
Approve a minor version of a list item or document.
Open Items
View the source of documents with server-side file handlers.
View Versions
View past versions of a list item or document.
Delete Versions
Delete past versions of a list item or document.
Create Alerts
Create e-mail alerts.
View Application Pages
View forms, views, and application pages. Enumerate lists.
Site Permissions
Manage Permissions
Create and change permission levels on the Web site and assign permissions to users and groups.
View Usage Data
View reports on Web site usage.
Create Subsites
Create subsites such as team sites, Meeting Workspace sites, and Document Workspace sites.
Manage Web Site
Grants the ability to perform all administration tasks for the Web site as well as manage content.
Add and Customize Pages
Add, change, or delete HTML pages or Web Part Pages, and edit the Web site using a Windows SharePoint Services-compatible editor.
Apply Themes and Borders
Apply a theme or borders to the entire Web site.
Apply Style Sheets
Apply a style sheet (.CSS file) to the Web site.
Create Groups
Create a group of users that can be used anywhere within the site collection.
Browse Directories
Enumerate files and folders in a Web site using SharePoint Designer and Web DAV interfaces.
Use Self-Service Site Creation
Create a Web site using Self-Service Site Creation.
View Pages
View pages in a Web site.
Enumerate Permissions
Enumerate permissions on the Web site, list, folder, document, or list item.
Browse User Information
View information about users of the Web site.
Manage Alerts
Manage alerts for all users of the Web site.
Use Remote Interfaces
Use SOAP, Web DAV, or SharePoint Designer interfaces to access the Web site.
Use Client Integration Features
Use features which launch client applications. Without this permission, users will have to work on documents locally and upload their changes.
Open
Allows users to open a Web site, list, or folder in order to access items inside that container.
Edit Personal User Information
Allows a user to change his or her own user information, such as adding a picture.
Personal Permissions
Manage Personal Views
Create, change, and delete personal views of lists.
Add/Remove Personal Web Parts
Add or remove personal Web Parts on a Web Part Page.
Update Personal Web Parts
Update Web Parts to display personalized information.
Some of these permissions rely on others to correctly work. Mark Arand provides a very useful spreadsheet which outlines these permissions as well as which ones are required to achieve specific roles and functions. His blog entry can be found here.