Permissive mode (default) means that a user can attempt access the system will pass attributes to any federated resource whether or not you have a subscription and that a user tries to access. In normal operation the resource would then decide whether or not you have allocated a resource to permission sets. A statistic will be logged for the access attempt even though they will probably not gain access. Keep using this mode if collecting those statistics is useful to you or your users access resources from a list of links you maintain yourselfto let the user in based on the attributes that had been passed.
Restrictive mode (recommended) means that the system will block access attempts to federated resources that are not specified in permission sets. Switch to this mode once you have set up your permission sets with the resources you subscribe to - they will also appear in MyAthens. Statistics are only recorded for resources that you specify. This mode is very useful if any of your subscriptions are with providers who expect you to only pass them eligible usersIts intended use is in situations where a resource is not operating according to standards - e.g. they have decided that it is up to you to not send them any response for users that should not have access.
This setting will also have an impact on statistics. A statistic is logged whenever attributes are passed to a resource and restrictive mode will stop those attributes being passed to unspecified resources. In permissive mode, statistics give you a record of all the things your users want to access; in restrictive mode, statistics give you a record only of the things that they should be able to access. Both have their benefits.
This setting only applies to federated resources - proxy resources and legacy resources other resources such as proxy (if you use anythem) will always operate as if in restrictive mode.
If enabled for your organisation, these allow access to bypass OpenAthens authentication for specified locations.