The important thing to remember is that permissions cascade down and are inherited. So, if you give a user group "read-only" permissions to your entire organization, they will have read-only permissions to every project in Jama no matter the folder in which the project resides.
Some common scenarios:
1) If you have a group that should not access anything except a folder of projects, then you can apply the permissions on the folder of projects only and those permissions will cascade down to all the projects in the folder.
2) If you have a group like All Users that you've given read-only access at the Org level, that read-only permission is inherited by all projects in the org (no matter what folder they're in).
a. If you "upgrade" the group's permission on a folder of projects, the permission is upgraded on all the specific projects under the
folder (e.g. upgrade All Users to Create/Edit for a Sandbox/Demo folder).
b. If you remove a groups permission from a folder of projects, the permission is removed from the folder, but not from the specific projects under the folder.
3) Users will still see folders in the project selector even if they don't have permissions to see the projects under that folder. It will just look like an empty folder to them, they won't see any projects in the folder.
(Originally posted by Preston Mitchell)