diff --git a/alz/azuredevops/variables.hidden.tf b/alz/azuredevops/variables.hidden.tf
index 98bbe34..b0e3c88 100644
--- a/alz/azuredevops/variables.hidden.tf
+++ b/alz/azuredevops/variables.hidden.tf
@@ -229,7 +229,9 @@ variable "custom_role_definitions_bicep" {
           "Microsoft.Resources/deployments/write",
           "Microsoft.Resources/deployments/validate/action",
           "Microsoft.Resources/deployments/read",
-          "Microsoft.Resources/deployments/operationStatuses/read"
+          "Microsoft.Resources/deployments/operationStatuses/read",
+          "Microsoft.Authorization/roleAssignments/write",
+          "Microsoft.Authorization/roleAssignments/delete"
         ]
         not_actions = []
       }
@@ -282,7 +284,8 @@ variable "custom_role_definitions_bicep" {
           "Microsoft.Authorization/locks/write",
           "Microsoft.Network/*/write",
           "Microsoft.Resources/deployments/whatIf/action",
-          "Microsoft.Resources/deployments/write"
+          "Microsoft.Resources/deployments/write",
+          "Microsoft.SecurityInsights/onboardingStates/write"
         ]
         not_actions = []
       }
diff --git a/alz/github/variables.hidden.tf b/alz/github/variables.hidden.tf
index e536a44..6586b58 100644
--- a/alz/github/variables.hidden.tf
+++ b/alz/github/variables.hidden.tf
@@ -235,7 +235,9 @@ variable "custom_role_definitions_bicep" {
           "Microsoft.Resources/deployments/write",
           "Microsoft.Resources/deployments/validate/action",
           "Microsoft.Resources/deployments/read",
-          "Microsoft.Resources/deployments/operationStatuses/read"
+          "Microsoft.Resources/deployments/operationStatuses/read",
+          "Microsoft.Authorization/roleAssignments/write",
+          "Microsoft.Authorization/roleAssignments/delete"
         ]
         not_actions = []
       }
@@ -288,7 +290,8 @@ variable "custom_role_definitions_bicep" {
           "Microsoft.Authorization/locks/write",
           "Microsoft.Network/*/write",
           "Microsoft.Resources/deployments/whatIf/action",
-          "Microsoft.Resources/deployments/write"
+          "Microsoft.Resources/deployments/write",
+          "Microsoft.SecurityInsights/onboardingStates/write"
         ]
         not_actions = []
       }
diff --git a/alz/local/variables.hidden.tf b/alz/local/variables.hidden.tf
index 7cdbe21..d19c8c7 100644
--- a/alz/local/variables.hidden.tf
+++ b/alz/local/variables.hidden.tf
@@ -150,7 +150,9 @@ variable "custom_role_definitions_bicep" {
           "Microsoft.Resources/deployments/write",
           "Microsoft.Resources/deployments/validate/action",
           "Microsoft.Resources/deployments/read",
-          "Microsoft.Resources/deployments/operationStatuses/read"
+          "Microsoft.Resources/deployments/operationStatuses/read",
+          "Microsoft.Authorization/roleAssignments/write",
+          "Microsoft.Authorization/roleAssignments/delete"
         ]
         not_actions = []
       }
@@ -170,8 +172,7 @@ variable "custom_role_definitions_bicep" {
           "Microsoft.Insights/diagnosticSettings/write",
           "Microsoft.Insights/diagnosticSettings/read",
           "Microsoft.Resources/deployments/whatIf/action",
-          "Microsoft.Resources/deployments/write",
-          "Microsoft.SecurityInsights/onboardingStates/write"
+          "Microsoft.Resources/deployments/write"
         ]
         not_actions = []
       }