Since version 0.6.3, most settings (to determine what a player is allowed to do and what not) are handled by the new permission system. You can setup individual permissions for certain "groups", which will apply to all members of this group.
Basically there is always a fixed permission, called "default.permission", which can be found in the permissions subfolder in your server directory. These are the default basic permissions, which will apply to all players. Now you can create individual group permissions (you put them into the groups subfolder), which will inherit the default permissions, but overwrite all keys you specified in your group permission. In other words: If you created a long list with forbidden items in the default.permission, you can - for example - just allow the pickaxe in your group permission, resulting in the player being unable to use any items, with the exception of the pickaxe. It's up to you how much you go into detail, of course you can also suspend all restriction of the default.permission if desired.
You can create as many groups as you want and assign as many players to a particular group.
The data format of all permission files is YAML. Here is an example for the "default.permissions":
Note: This are by far not all permissions; if you don't specify a permission, the default value is used. For example: If you have a group "admins", and you don't specify a particular permission, the game will look in the "default.permissions" if the permission is specified there and takes it value. If this permission is also missing in the "default.permissions", the default server permission is used. You find an overview of all permissions and the according default value at the bottom of this topic.
Apart from the permissions, there is still the "admin" entry in the server.properties file. These "admins" are not affected by permissions, so they can use all commands and items. If you don't want that, you can set settings_admins_allpermissions to false in the server.properties file. Only the serverowner and all trustworthy persons should be an "admin" in the server.properties file btw. For all other team members, it's recommendable to create a separate "admin" group instead (and/or maybe a "moderator" group etc).
To assign a player to a particular group, you can use the setplayergroup command (use: setplayergroup playername groupname, specify null as groupname to remove the player from his group).
It's also possible to specify a "default group" for new players. Just open the server.properties file, look for the "settings_default_newplayer_group" key, and specify the desired group name (the filename without file ending).
Btw: There is a way to check your current permissions ingame: Just press ESC to get into the ingame menu (do not return to main menu!) and hit the "Permissions" button.
One final note: You cannot change the permission files during runtime yet. In other words: You have to restart the server once you have done some changes to any of the permission files 
