On page 509, under the section Roles, the author proposes a better alternative to having your code check whether the current user is a member of a certain group before allowing access to a certain feature.
It recommends creating a custom permission (that the code should check for) then simply assigning the permission to groups as needed.

I realize this is not talking about code access security (groups or permissions) anymore. I'm familiar with creating security groups in Active Directory, but how does one create a permission and then assign it to a particular Windows group?