I recommend the Web Security Help page: https://district.ode.state.or.us/search/page/?=128
Notes: There are three "roles" in most of the applications. (Modify, Primary Submitter and Web Service.) Only the Modify role needs to be checked for people who need to be able to make changes to collections. The other two roles really shouldn't be displayed and don't do what you might think. Please ignore them.
Read-only access to the applications is given by checking the "checkmark" by the application, NOT the Modify permission.
I hope this helps.