User has a permission type, none is basic, editor means access to the /admin area of Kentico but no permissions, they need to be assigned. Administrator means access to the assigned sites resources and modules, but no access to global, and global administrator is unadulterated access.
Next roles are a container for permissions.
Memberships contain uses and roles so you can group them, adding people to multiple roles simply by adding to a membership group that has the roles.
Permissions control what a user has access to, both operations (such as create it delete certain page types) but also user interface (such as access to the "form" tab on pages).
That's the best I can do for a summary, documentation goes into better detail and you will probably need to look into it to fully understand things.