Teams provide a very broad way to assign authorities. If a Team grants the Consumer authority, say, it grants that authority over everything in the project. That means all content is readable by anyone on the team. While this is useful in a number of cases, it is also too broad a stroke for more complex scenarios.
In a more complex scenario where you wish to limit read access for specific types of content to specific users. To do this, you start by modifying all Teams that a user is a member so they no longer do that broad sweep:
1. Click on a Team (such as the Project Users Team).
2. Click on Properties.
3. Click the check box for "Manage Node permissions independently".
4. Click on Save.
By doing that, any users on the Project Users Team will no longer automatically inherit the Consumer right against content inside of the project. To see this, you can click on Properties. A "Revoke Consumer from Node" policy is added to the team which tells Cloud CMS not to propagate the Consumer role from the Team to any Nodes in the project. You can adjust this to filter out any other Roles you don't want to propagate.
Once you've done that, you'll need to grant rights to content explicitly using either Folders or Content Type Definitions.
1. all users are a member of the team Project Users and the User should not be removed from this team.
2. Changing the Project User team as described above will revoke read access on all content for users just in the Project User team and access to content will be granted in the membership of other teams the User is a member of.
Using Folders, you can grant the Consumer right to the Root Folder of your folder tree and all child folders and nodes contained within nested folders will inherit that Consumer right. Similarly, you can prescribe the Consumer right to some folders but not others.
Using Content Type Definitions, you can grant a Custom Role (you'll have to create the role) to a user against a Definition which grants the READ_WITH_DEFINITION permission. This permission indicates that the user should have read rights over any content of that type. As noted, you'll have to create a custom role that grants the permission and then grant to a user against the Definition.