Since version 0.6.3, most settings (to determine what a player is allowed to do and what not) are handled by the new permission system. You can setup individual permissions for certain "groups", which will apply to all members of this group.
Basically there is always a fixed permission, called "default.permission", which can be found in the permissions subfolder in your server directory. These are the default basic permissions, which will apply to all players. Now you can create individual group permissions (you put them into the groups subfolder), which will inherit the default permissions, but overwrite all keys you specified in your group permission. In other words: If you created a long list with forbidden items in the default.permission, you can - for example - just allow the pickaxe in your group permission, resulting in the player being unable to use any items, with the exception of the pickaxe. It's up to you how much you go into detail, of course you can also suspend all restriction of the default.permission if desired.
You can create as many groups as you want and assign as many players to a particular group.
The data format of all permission files is YAML. Here is an example for the "default.permissions":
Note: This are by far not all permissions; if you don't specify a permission, the default value is used. For example: If you have a group "admins", and you don't specify a particular permission, the game will look in the "default.permissions" if the permission is specified there and takes it value. If this permission is also missing in the "default.permissions", the default server permission is used. You find an overview of all permissions and the according default value at the bottom of this topic.
Let's get back to the example above: The first "info" permissions are just some "visual" things, chatcolor determines the color of the player's text when he sends a chat message (0xffffff equals white), "shownametag" determines if the nametag (the player's name above his head) should be visible, and "nametagprefix" specifies a prefix for the nametag.
Now it's getting more interesting: All "commands" permission are generally split into an "allow" and "deny" key. Every command you put into the "allow" list will be allowed for the groupmembers (i.e. the player is able to use it), every command you put into the deny list will be disabled. You can use the wildcard character "*" as a replacement for "all commands".
Note: The permissions are parsed from top to bottom, so the example above makes no sense, since the server would allow the two commands first, but then disable all commands. It would make more sense if you put the "deny" block above the "allow" block in this case (so the server would disable all commands first, but then allow the two commands listed under "allow")
The next block - the "world" permissions - have the same structure. In this case a member of this group would not be able to break any blocks or destroy any objects or constructions.
The "blueprints" part does not have the typical "allow-deny" structure, it's just "key: value" in this case. In this case, the "use" permission (players can use existing blueprints) would be granted, but they are unable to create new blueprints (i.e. copy buildings on your server).
The same applies to the "customimages" block (in this particular case, setting "enabled" to false just disables this feature).
Finally we're coming to an interesting part: The "items" permissions. Here you're able to disable particular items. You can set the permissions for "crafting" (i.e. the player would no longer be able to craft this item), "pickup" (player is no longer able to pickup this item) and "drop" (player is not able to drop this item). Furthermore the "pickup" and "drop" blocks are splitted into "general" (affecting items in the world, e.g. when an item lays on the ground), "chest" (i.e. player is unable to pickup/drop an item from/into chests) and "body" (same as chests, just referring to dead bodies - for example to prevent players from looting dead bodies).
Apart from the permissions, there is still the "admin" entry in the server.properties file. These "admins" are not affected by permissions, so they can use all commands and items. If you don't want that, you can set settings_admins_allpermissions to false in the server.properties file. Only the serverowner and all trustworthy persons should be an "admin" in the server.properties file btw. For all other team members, it's recommendable to create a separate "admin" group instead (and/or maybe a "moderator" group etc).
To assign a player to a particular group, you can use the setplayergroup command (use: setplayergroup playername groupname, specify null as groupname to remove the player from his group).
It's also possible to specify a "default group" for new players. Just open the server.properties file, look for the "settings_default_newplayer_group" key, and specify the desired group name (the filename without file ending).
Btw: There is a way to check your current permissions ingame: Just press ESC to get into the ingame menu (do not return to main menu!) and hit the "Permissions" button.
One final note: You cannot change the permission files during runtime yet. In other words: You have to restart the server once you have done some changes to any of the permission files