Service Definitions have two types of security:
1) Who can request to create the site through ProvisionPoint, and
2) Who is added to all sites created from this Definition.
They're often similar sets of people, but they don't have to be.
Navigate to the Service Definition you want to manage, and select the Security tab on the left:
Now you'll see a list we can modify to allow users to access and/or be added to the new site.
Begin typing the name of the group in the text box. ProvisionPoint will refer to your Active Directory instance to help you select a valid group:
Select the group you'd like to add from the suggestion box. We can then select 3 options for this group:
1) Can Request? Sliding this option to Yes means that members of this Active Directory group will be able to see this Service Definition in the Request tab, and they'll be able to request this site.
2) Add Group to Newly Created Sites? Sliding this to Yes means this security group will be added to the permission set for any new site created from this Service Definition. If you want the group to be added, you'll need to select a:
3) Permission Level. This permission level will be applied to this group on site creation. The list you see here contains the default SharePoint permission levels as well as any custom permission levels you've created on the Permission Levels page (under Resources)
Click Save on the row to save the group settings. You can add multiple groups to this list in the same manner as above.
When the site has been created from this Definition, you might allow Site Owners to manage the security of the site going forward. Perhaps you don't want them to be able to give Full Control security - or perhaps you want them only to allocate a custom permission level to new users. Here is where you select the permission levels that will be available to Site Owners once the site has been created.
Just slide the switches to On to make that permission level available:
You might want some users to be given access to all new Project Sites, and another group only be allowed to request them. That might look like this: