The three main elements are resources, permission sets and accounts.
Resources define the content that you have subscriptions for. Your resources will be a sub-set of the potential resources in the catalogue and are collected in your permission sets, which identify the resources that sub-sets of your accounts can access. Accounts identify the holder to resources as a member of your domain or organisation and eligible to access under your subscription.
A simple set-up where all account holders have access to all content might have only one permission set and that assigned to all accounts. It would probably be marked as a default permission set so that accounts were assigned it automatically when they were created.
If you have different types of user that should access different sets of resources, you would just to create additional permission sets and allocate them accordingly. A common approach is to have a default permission set of things that all can access and additional permission sets that can be allocated to accounts that should access additional resources or shared property.