I'm probably not the only one who went through a bumpy journey trying to understand the RA Permission Management. It has several dimensions to control (ie: ROC, Studio, Environment, Application). A permission granted to a role may inherit another permission that you may thought you should or not having it.
This article hopefully could reduce some nightmare during your permission configuration journey or to answer some client queries on related.
The attached spreadsheet contains almost all the user permission configuration vs what it can do from micro level (ie: execute release, create release, resume release) on ROC and Studio.
It's based on RA 5.0.2, so generally still applicable to RA5.5. Feel free to update to keep the nightmare away from everyone.