From the developer blog: https://developers.home-assistant.io/blog/2019/03/11/user-permissions.html
Home Assistant has had a user permission system since Home Assistant 0.82 (released Nov, 2018). Permissions are attached to groups, a user can be part of multiple groups, user permissions are based on merging the permission policies of all of its groups. More detailed info can be found in our docs. Users can create their own groups, but there are also three system groups: “admin”, “users” (new in 0.90), and “read-only”. All three have access to all entities, but the read-only cannot control any of them. Only the users part of the admin group can access administrative options like managing users and integrations.
Before Home Assistant 0.90, we were not using any of it. Instead, all users are part of the admin group, as that group provides the same access as before we had permissions. With 0.90, we’re going to allow switching the users group between the system groups “admin” and “users”. When a user is part of the “users” group, they will not be able to administer Home Assistant. The UI will hide the menu items to open the configuration panel or the developer tools.
This feature is however unfinished. We need to audit the Home Assistant code to make sure that all APIs and service calls check the users permissions. So although a user will not be able to use the UI to make changes, there might still be APIs that can be accessed without permissions. And not only do we need to check the Home Assistant code, custom components that register services or APIs will also have to be updated.
So this is where you can help! If you’re maintaining an integration, either custom or built-in, read up on the documentation on how to check permissions. Then check that your integration checks permissions appropriately. Once you checked yours, help others check theirs, and help us to audit all services and API calls in Home Assistant.