In advanced mode, rights to tools are given on a tool-by-tool basis rather than to "General data entry", for example, in compatibility mode. The list of tools you see available will vary based on how you have VSys One configured: inapplicable tools, e.g. all of "Kiosk" if the VSys Kiosk isn't enabled, will not be present.
Assign rights to each tool by right-clicking on it. Right-clicking on a tool's grouping ("Account records" and "Admin tools" in the example below) sets the rights for that tool grouping and all tools within it.
Hovering your mouse over a tool tells you the effective rights of this user to that tool. Those effective rights are determined by following the inheritance chain to check the user's rights from his roles and the default user.
There are some special tools here that don't correspond to actual "tools":
Application forms: these provide data entry access (or not) to individual applications.
Project groups: provide superuser access to projects which are in those project groups regardless of explicit rights to individual projects.
Projects, "All rights to all projects": provides superuser access to all projects regardless of explicit rights to individual projects and regardless of rights defined by project group.
Special people rights: these provide (or don't provide) users access to remove bans, job exclusions and/or restrictions assigned to individual people. (A user still needs "edit" access to a person in order to edit these values, but giving them "edit" does not in and of itself let the user remove these values.) Note that no special right is required to ban someone or add job exclusions and restrictions, just to remove them.
Tool profiles: allows access to individual tool profiles. A user who does not have access to a tool profile cannot use that profile in VSys One or VSys Lite even if that profile is set as their default.
VSys Live, "Delete VSys Live sites": even if a user has rights to edit a VSys Live site, she cannot delete any site without this special right. To delete a VSys Live site, the user must both have the "Delete VSys Live sites" right, along with rights to the individual site itself.
VSys Live sites: these define whether or not the user is allowed, on a site-by-site basis, to set up and edit existing VSys Live sites.
There's no access right for "Restore data", because it's not possible. When it comes time to restore data, VSys can't read the database in order to check the user's security rights. To prevent someone from restoring to your database, either prevent them from deleting tables (SQL Server only), or put the value NoRestore=1 into the database's section in the VSys.ini file.
Need a list of tools so that you can go through them and decide who needs what rights? Remember that you can right-click on most lists in VSys - including this one - and export them to a file. Exporting this list to Excel will give you that list along with the effective rights for each tool as well.