Drupal permissions are a sticky wicket. You want to configure your site with just enough roles to make it functional and secure, but not so many roles your can't manage your permissions for Drupal's UI. But when every module, content type, as well as every field (when Content Permissions is enabled) adds an additional checkbox, this can quickly become overwhelming.
I've attached Denver Open Media's full permission configuration. I'm going post more about specific sections of this in comments to this post.