I was wondering if there is a right that controls if a user has access to security features? IE groups, instance rights, etc. 

I am pretty sure the answer is no but I wanted to make sure there was not a way to keep the user with access to administration but take out the security parts so they cannot grant their own security. 

Release : 15.5.1

Component : CA PPM SAAS USERS, GROUPS, OBS ADMINISTRATION

As per current design there is no way to separate access rights to not allow Admin user to not able to get access rights for themselves as well as other users they have access to.