Plugin permissions

For plugins, it looks like MyPluginClass::getPermissions() is where we define the UI (checkboxes) that we need to appear at admin/group/types/manage/[my-group-type]/permissions

But the place where we actually make the permissions work, and control how the permissions work under different conditions, is the hook_entity_access() implementation in our .module file. Do I have the right idea?

In other words, the settings we define in the getPermissions() method will not necessarily have any impact on access to the content. The hook_entity_access() implementation is what controls access. And typically our procedural code in hook_entity_access() implementation will take into account the permissions that are set in the form defined by getPermissions().

Correct?