Recently, a user with administrative rights to his department’s site could not give permissions to access the site to one of the users in his department.
The site administrator had Full Control rights to the site, but when he tried to add the user to the group that had Contribute rights, found that he was unable to add the user.
This is actually a simple problem to fix. SharePoint groups that may have rights to a site (or list, or item) are not actually part of that site (or list or item), and so can’t be administered by someone with Full Control of that site (or any other permission level) based on that permission level. Instead, groups have owners (usually the individual who set up the group). When the group is set up, the creator determines whether or not the membership can be modified by other group members or only by themselves.
Best practice for an organization that wants to distribute authority would be to set up an administrators group, configured so that the members can edit the membership. (I mean really, if you don’t trust the members of your administrator group to keep control of their membership, why did you give them admin rights to begin with? But if you are in an organization that wants to feel like control of their distributed authority is centralized, you can set the group up with their manager as the owner, and restrict membership changes to the owner. But IMHO that is just insulting to the people to whom you gave full control of your site.)
Once you have that group set up, other groups with lesser rights would be configured to be owned by the administrators group, with membership changes restricted to the administrators group. Then site administrators could maintain the site membership.
Of course, Site Collection Administrators can always modify any group membership in their site collection.