When you specify a user or user group for security object class permissions, you must specify a domain account. You cannot specify accounts that are local to a computer or global to the domain.
There are two types of permissions: explicit and implicit. Explicit permissions are those permissions granted directly to a user account; no other users are affected. Implicit permissions are those permissions granted to a user group account. Adding a user to that group grants the group's permissions to that user; removing a user from the group removes the group's permissions from that user.
When a user accesses the SMS Administrator console, that user's set of permissions are based on the sum of that user's explicit and implicit permissions. A user's security level is always the least restrictive of that user's explicit permissions and the permissions of any and all groups to which that user belongs.
For this reason, the least complicated way to administer a workgroup is to create new groups and assign permissions to the groups, rather than to individual users. Then you can change individual users' permissions by adding them to or removing them from groups. Also, if you need to grant new permissions, you can grant them to all members of a group in a single operation.
Create a Security Right
About Permissions and Security Objects
Security Configuration Overview