Roles are represented as a collection of operations on object types at a specific scoping level. The scope limits how the operation can be used. For example, at the scope of 'system' then the permission assignment applies to all objects of that type in the system. For example, if you have 'Storage Volume' + 'Delete' as the operation and the scope is 'System' then you can delete any storage volume in the system or grid. But, if the scope is reduced to 'group/cloud' then you can only delete the storage volumes in your assigned storage cloud. To further restrict the role you can assign just the 'user' level scope which only allows the use to execute the given operation on resources of that type that they own / have created. Going back to the example of deleting a storage volume, you would want the scope to be 'user' if you only want users with the role to be able to delete their own storage volumes and not those of other users.
Navigation: Users & Groups --> Role --> Create (toolbar)