Code permissions are simple on the surface, and complex internally. At the most basic level, one assigns the ability to execute a service to a role, and then assigns that role to a user.
However, there are situations where it is beneficial to allow a user to call a code service that executes as another user. For example, if one wants to have custom filtering done to data before it is added to a table, but do not want to allow any old user access to that table, it would be beneficial to create a role that has access to that table, and then assign it to a single user. It should be noted that the Collections user should also have a role with permissions to execute the code service.
Another thing to remember is that when a service is executed, unless it is executed in another user’s context as noted above, that the service mechanism is designed to have all calls made by that service to the platform made in the context of that user. The developer is able to login manually as another user, and perform calls, but this adds unnecessary overhead to the service.