Thank you for the answers, but I realize now I was not clear in my question.
Say you have a pipeline and you want to give a group permission to run that pipeline only. If you set the ACL to add the group to that individual pipeline (with "allow" permissions for Read and Execute), you will run into ACCESS_DENIED errors because the user does not have permissions to run the procedures within the pipeline.
Likewise, if you give a group permission to run one procedure, but that procedure calls sub-procedures from different projects, the same access denied errors will appear.
So how can we identify all the projects/procedures/property sheets/etc that the user/group needs to have access to in order to execute a given pipeline or procedure?