TM1 works in this order:
- Cube security
You can't skip a level on the way down. If you have none of these cubes then all users can WRITE to every cube. If you enable cube security, and nothing else, users will get the rights to the cubes per their group membership, for every part of the cube. Once you enable cube security then you will need to specifically assign security for every cube. If you enable dimension security then users will need at least READ to each dimension that exists in the cubes they use in order to READ data from the cube. If they need to WRITE then they will need WRITE to every dimension in the cube. Once you establish dimension security you will need to specifically assign security to every dimension. If you enable element security for a dimension then users will need to be specifically given either READ or WRITE to every element that they need to interact with. You do not need to establish element security for every dimension. It is optional. However, if you do not then the default security setting is WRITE for that element.
Security in TM1 is additive, meaning you get the sum of the rights of all the groups you are a member of. You also get the highest rights if there is a conflict. If one group you are in has WRITE to a cube and another has READ you will get WRITE. This is true for dimension security and element security.
The other thing you need to know is when you cascade down from cube to dimension to element security then the group needs WRITE all the way down in order to actually WRITE to the cube. If you give out WRITE to the cube, but READ to at least one of the dimensions in the cube then the user will receive READ. Same thing for element security.
If you are a TM1 admin I recommend you establish a test server and play with these concepts to see for yourself how they work. Once you figure it out it will become second nature. Also, I have not mentioned Cell Security cubes (which potentially trump all other security settings for a specific cube) because you don't have any.