Necessary AD permissions to allow support staff access to manage SecureLogin via the MMC snap-in

What AD permissions and ASL preferences need to set so support staff are able to update credentials/variables e.g. Usernames/Passwords using the MMC snap-in?

In order to change values of NSL data that is stored in the Directory e.g. $Variables such as $Username and $Password, support staff must:

• Have access to the SecureLogin MMC snap-in (or SecureLogin Manager) to view and change the values
• Write rights to the protocom-SSO-entries attributes on User Objects to be updated/administered (can be set at the OU for all users in that OU and below using the Delegate Control Wizard>User Objects)
• The following NSL preference must be set on the AD user object of the relevant support staff

"Allow users to modify credentials through the GUI" = YES