Hi,
Group security rights "Add" permissions.
Edit: When for a certain model, groupA adds read access and groupB adds write access, a user in both groupA and groupB will have both read and write access. If in doubt, check: https://github.com/odoo/odoo/blob/master/openerp/addons/base/ir/ir_model.py#L704
If you want a security rule to remove a certain permissions, look at the record rules:
Global rules (non group-specific) are restrictions, and cannot be bypassed. Group-local rules grant additional permissions, but are constrained within the bounds of global ones. The first group rules restrict further than global rules, but any additional group rule will add more permissions
Detailed algorithm:
1. Global rules are combined together with a logical AND operator, and with the result of the following steps
2. Group-specific rules are combined together with a logical OR operator
3. If user belongs to several groups, the results from step 2 are combined with logical OR operator
Example: GLOBAL_RULE_1 AND GLOBAL_RULE_2 AND ( (GROUP_A_RULE_1 OR GROUP_A_RULE_2) OR (GROUP_B_RULE_1 OR GROUP_B_RULE_2) )
Regards,
Jos