The Xp_cmdshell account, which is the SQL service account or proxy, likely doesn't have rights to grant permissions.
What you should do is have the account that runs the job be part of a group (domain or local) and grant the rights there. That way if the account changes, you can add the new account to the group and get all the rights, rather than having to track them down.