Since, many times AEM Useradmin classic UI console shows unstability and looks like deprecated.
We should use Touch UI --> Security --> Users/Groups/Permissions tile for the user rights.
Below ACE are helpful to assign rights for user/group from Touch UI useradmin console.
Read - jcr:read
Delete - jcr:removeChildNodes, jcr:removeNode,
Create - jcr:addChildNodes, jcr:nodeTypeManagement
Modify - jcr:modifyProperties, jcr:versionManagement, jcr:lockManagement
For child nodes - Add one more ACE as jcr:removeChildNodes, jcr:removeNode, jcr:addChildNodes, jcr:nodeTypeManagement
AND for restrictions at global level - rep:glob="*/jcr:content*"
Read ACL - jcr:readAccessControl
Edit ACL - jcr:modifyAccessControl
Replicate - crx:replicate
In shorts::
Read/Modify/Create/Delete/Read-ACL/Edit-ACL/Replicate -
jcr:versionManagement, jcr:modifyAccessControl, jcr:read, jcr:readAccessControl, crx:replicate, rep:write, jcr:lockManagement
For Rollout access - The user should have R/C/M/D on the blueprint and R/C/M/D/Replicate on the Live Copy.
For Publishing rights containing experience fragments/fragments below paths should also required to activate policies in addition to fragment path access -
/conf/<project-name>/settings/wcm/policies
/conf/<project-name>/settings/wcm/templates