It is a role based access control mechanism.
There is the account admin role, which let's you basically do anything the account owner can, except for changing their email and password, or removing the account. An account admin can create websites, change their settings, install packages on any of them, etc.
The website group admin role can do anything within the website group. It can edit the websites, install packages, work with branches and change the website settings. It can not remove the website group itself though.
A branch admin works similarly, but bound to a single branch. It can edit the website (branch), install packages, change its settings, but it can not create new branches or remove the branch.
If your use case is not covered by the above roles, get in touch so we can create a new role for you.