We delegate role membership management through the use of administrator assignments. A new administrator assignment is created in the role domain and an eDirectory group is assigned. The following six permissions are given for the role to be managed:
Revoke Role From User
Report on Role
Assign Role To User
Revoke Role From Group and Container
View Role
Assign Role To Group and Container

We assign users to these eDirectory groups so that they can manage the appropriate roles. This worked fine in UA4.6 IDMProv, because the following roles were able to access the roles tab:
Security Administrator
Resource Manager
Role Manager
Role Administrator
Resource Administrator

In UA4.7.2 IDMDash, this does not work. The only roles that can Assign Roles are Security Administrator and Provisioning Administrator. These trustees can not be modified.

How are we supposed to delegate role management?