As well as selecting the permissions that you want to associate with a role, you can also choose to deny certain permissions to users who occupy the role. By denying the permissions, you stop users from acquiring them when they are assigned to other roles that do allow the permissions.
For example, suppose that you want to prevent some users from accessing all the facilities in the Discovery Accelerator client except for the search facility. To achieve this, you would assign the users to a role in which you have set the Search and Search Preview permissions to Allow, but you have set all the other permissions to Deny. Even if the users are assigned to other roles that grant them additional permissions, they cannot exercise them; the Deny permissions take precedence.
Some predefined roles have permissions that you cannot revoke because they are fundamental to the roles. For example, you cannot set the Role Assignment permission for the Case Administrator role to Deny. In the Role Details pane of the Discovery Accelerator client, these permissions are dimmed to show that you cannot change them.
More Information
About the Discovery Accelerator permissions