user rights within project

user rights within project

How are user rights controlled within a project.  It seems that if you grant access to the project the user can do most anything.  We don't want all users to be able to add & delete tasks and in some cases may not want them to be able to update status.  Perhaps just follow & add comments.  It would also be nice to know if there were ways to keep certain project documents hidden except to certain users.