I had to configure a separate role for an young inexperienced colleague, making sure he won't be able to break anything in Intune.
Except I had some trouble getting the role permissions to activate.
Not sure why most of the information on the web isn't telling you that you need to assign the user a Intune capable license or else the roles will not activate at all.
This can be a simple Microsoft 365 F1 license or a full fledge Business Premium, al long Intune is included.
Once you assign the correct license it will only take signing out and back in again for the roles to apply