Securable objects like documents and folders get their initial security from the Default Instance Security ACL of their class and possibly also from the class' default security policy, if there is one. Authorized users can add to or change this initial security. Directly changing a single object's security means that only that one object will receive the changes. If the object is a document, these direct changes to a single version will continue to appear on later versions of the same document.
To add new users and groups to a single object: