With the introduction of VSA 10 we shifted from the old manual access right management in favor of using Teams. You can think of a Team as a Group in the Active Directory the only difference being that you cannot belong to multiple teams at the same time.
The Teams section is located in the WebApp -> Server Admin -> Users & Teams, and if the left 'All Users' tab is dedicated to creating and managing user accounts then the 'Teams' are entirely dedicated to the concept of managing user access rights.
The section naturally splits into two.
The top section is reserved to only one built-in group called Administrators (users assigned to the administrator's team have all privileges to all systems).
The bottom section is called User Defined is open to user modifications and can be used to grant custom-based access rights to the systems and features.
For example, we have just created a new user account for one of our junior staff members and we want to restrict his access rights only to the Test Group while allowing him to access the other sites in the read-only mode while keeping him away from all the other organizations within the company.
To do it navigate to the relevant group and select the 'Edit' button from the bottom of the screen
from the Access, tab select the desired access privileges (all groups, sites, and organizations are set to No Access by default)
while in the Permissions tab customize the configuration of Billing, Automation Reporting, and Patch policy settings available for the user and save the changes.
The final step is to move the user account to the newly configured team.
To do it select the 'Edit' button from the user's current team
navigate to the Members tab and move out the user to his newly configured team.