When you try to change the membership of a role group in Microsoft Office 365 dedicated/ITAR, you receive the following error message:
You don't have sufficient permissions. This operation can only be performed by a manager of the group.
This issue occurs if you are not the owner of the group and are not listed in its ManagedBy property.
The SSA-Role Management role group is the default owner of all the Office 365 dedicated/ITAR Role Based Access Control (RBAC) baseline role groups. This is indicated by the ManagedBy property of the role groups. Users who are not members of the SSA-Role Management role group cannot see or change the membership of these role groups.
If new role groups are created to customize the RBAC configuration, we recommend that you use the ManagedBy property to set the SSA-Role Management group as the owner. For example, use the following cmdlet:
If the ManagedBy property is not specified, the individual who creates the account will be automatically added as the owner.
The RBAC customization feature that's available in Microsoft Exchange Server 2013 lets users change the baseline role group and management role implementation. Users can create custom role groups to let other administrators manage role group membership. For more information about this feature, see the "RBAC Customization" section of the Self-Service Administration guide. Example 2 in that section shows how to create a custom membership management role group and a management role.
Note Microsoft Online Support Services will not change the role group membership of the self-service role groups, nor will it release the names of any of the role group members.