There are a lot of places in Sharepoint where you can assign permissions. This is intended as a summary of where administrative level permissions can be assigned.
Site Collection Users and Groups
This is set per site collection. Super user and regular user permissions to children of the site collection are set here. These permissions can be inherited by an site collection child, including sub-sites. Giving a user Full Control here does not give Site Collection Admin level control as might be assumed, but does give enough functionality for many things.
Site Collection Administrators
This can be set through the Site Collection Site Settings if you are already a Site Collection Administrator, or owner or secondary contact – i.e. existing site collection administators can add other people. You cannot add AD groups to this list, so Site Collection Administrators must be listed individually. Owners and Secondary Contacts are automatically Site Collection Administrators whether they are listed as such or not.
Site Collection Administrators is the highest level permission that can be given to a site collection. A Farm Administrator does not automatically inherit this permission (but see below) but can add themselves to the a specific Site Collection’s Administrators list through Central Administration > Application management > Site Collection Administrators.
Policy for Web Application
Here you can give Site Collection Administrator type permissions to all Site Collections in a Web Application (e.g. http://division). This can be useful for setting up admin accounts.
SSP Users and Groups
Access to some, but not all, SSP functions can be assigned via the SSP Users and groups page.
SSP Site Collection Administrators
If you are not on this list, you cannot access the Search Usage Report
SSP Web Application Policy
As for any other site collection, you can add an AD group as Site Collection Administrator by adding the group to this list.
Personalisation Services Permissions
Set up specific users who need to manage profiles and MySites in here. You also need to set up these users under the Policy for Web Application for your MySites Web Application or they won’t be able to admin mysites fully.
Business Data Catalog Permissions
If you use these, then you need permissions in here for administration.
Central Admin Site Users and Groups
Some functionality can be given here, but mainly you will be able to see the menu, but not do anything.
Central Admin Site Site Collection Administrators
Here you get the real power over Sharepoint.
Policy for Central Admin Web Application
Again – useful for assigning admin permissions by AD group.
Phew – that is a lot of places, and possibly not an exhaustive list. Does anyone actually need this level of granularity? Even if that is the case, could this have been made easier through better thought out admin pages, and better labelling? I am sure that Donald Norman and Edward Tufte would have a lot to say about Sharepoint admin!