Functional - Determines the actions that you can perform on types of objects, based on the role(s) that you belong to. Your organization defines these roles at implementation, and each role has a set of permissions associated with it, that determine what actions a user belonging to a role can perform. For example, if you are a user assigned a role called "Administrator", you might have permissions to map and delete system tables, while if you are a user assigned the role called "Reviewer" you might be denied permissions to map and delete system tables.

Object - Defines the of object types on which you can perform your allowed actions. In other words, even if you belong to a role that has general permissions granted to edit campaigns, object-level security for Campaign can be set up so that you cannot access campaigns residing in particular folders. For example, if you belong to Division A, regardless of your functional roles, you can be disallowed from accessing the contents of folders belonging to Division B.