Hi Michael a great way to do this is to first create groups that have the proper permissions (remember you can add groups to groups and their permissions will stack)
Then create additional groups if needed which form your User groups.
add those groups to the permission groups.
Add users to the User groups.
Of course you can skip the middle step if that isn't required.
In follow up to that. It is best to specifically permit the runtime and not mass permit the runtime, many of the runtime services can impact the design and should be kept secured.The best way to approach this would be to always 'wrap' the standard services in your custom service. i.e. you are creating services that the users utilize that utilize the Thingworx standard services. Next you permit those custom services, and you apply the System User to all the standard services.