When using delegated administration for making a change to an objects relationships in ways other then UPDATE, such as POST to `managed/user/_id/roles?_action=create` it is requiring that the main object (`managed/user` in the example case) to have CREATE permission. This request is not trying to create a `managed/user` though, but rather updating the managed user's relationship.
The other is a DELETE to `managed/user/_id/roles/_roleId`. It will require DELETE permission for `managed/user` when not trying to delete a managed user but rather updating the managed user's relationship.
Logic for origin and edge validation will need to be updated in the DelegatedAdminFilter to allow privileges to be accepted.