Each user can belong to one or more user groups, and resource permissions can be assigned to groups as well as to individual users. Like some mainframe security managers, ES MSS has the concept of a "sign-on group": during sign-on, users can also specify which group they're signing on with. (If the user isn't in the specified group, the sign-on is denied.) Users who don't specify a group sign on under their "default group", as determined by the ESM.
By default, when a user requests access to some resource, some ESMs will only apply rules that refer to that user and the user's current sign-on group. (Other ESMs may ignore the concept of sign-on group entirely, and always apply rules that refer to any group the user belongs to.) Rules for other groups will be ignored, whether the user belongs to them or not.
You can set the Use all Groups option in an enterprise server's security configuration to change this behavior. If Use all Groups is set, it doesn't matter what a user's sign-on group is; the user will always have all the permissions that apply to any group that user belongs to.