Security Roles are documented in Section 4.2.3 of the Extension Pack Administration Guide.
In the scenario you describe you'll want to make the users a member of the Computer Configuration Administrators role, which will grant them the ability to perform computer configuration tasks, but not perform any tasks regarding approving updates.
Managing access to specific machines is done through the use of Credentials. Credentials can be assigned by Organizational Unit. In the absence of an OU heirarchy that can be used, you can allocate a different credential for each group and configure that credential to have access to the individual machines in that group. Then assign that credential to the Domain or OU rule for each user, according to what they should have the ability to access.
Approval Delegation can be used to completely block the ability to approve/decline updates, but note that this feature only is functional within the Extension Pack. You will also need to restrict access to the native WSUS Administration Console (as well as Remote Desktop to the WSUS Server), in order to fully restrict this ability.