I would suggested that when setting up the user to select the permission set Group Admin. Once the user name has that attribute set you can save the changes. Next go to Menu/User Management/ Permission sets. Edit the option " System Tree Access" . You will want to uncheck My Organization is selected and only check the groups or objects that you would like the user to be able to manage. You will now need to add the point products that you would like this person to be able to manage IE McAfee Agent, Virusscan Enterprise, Host Intrusion Prevention. Select edit on the right of each product. Set the options as you would like. Save the change and logout of the dashboard. Login with the newly configured account and test that the user can change the policies for the branch or group you have selected.
Hope this helps,