The Rights Inspector lets you search your configured permissions based on several different criteria. Each permission consists of a "Principal" (which user, group, or role has the permission), an "Object" (what record they have permissions on), and a "Right" (the name of the permission). Rights Inspector lets you filter your permissions for any combination of those three.
The "Right" field lets you specify partial and/or multiple rights (e.g. searching Ticket will match both "ShowTicket" and "ModifyTicket", while ShowAsset ShowCatalog will show results for both rights). Since "SuperUser" provides every other right, it will also be included in results when applicable.
The "Principal" and "Object" search fields by default work based on filtering. For example typing Principal arch will show permissions granted to the user "Archibald", the Group "Monarchs", the custom role "Researcher", and so on. You can also filter using other RT concepts by providing search terms like user, article, and so on.
Alternatively, these two search fields support a special mode where you may specify a unique record directly using syntax like group:Sales. This will show recursive memberships (such as rights granted to any groups that the Sales group is a member of). It will also show rights granted by being a member of an individual ticket's or asset's role groups. Similarly, searching for a specific ticket with syntax like t:10 will show you the permissions for that single ticket and its queue.
Any word prefixed with a ! will be filtered out from the search results, for example searching for right ShowTicket !SuperUser.
For example, to help answer the question "why can Joe see asset #39?" you may specify principal user:Joe, object asset #39, right ShowAsset. This will produce multiple results if Joe has access due to multiple different reasons.