So you may have individuals or partners that are responsible for uploading Autopilot identities (hardware hash associated Azure AD objects), so they are associated with the tenant and get the Autopilot profile and enrollment configurations. They import may be done manually through a .csv upload or through Get-WindowsAutoPilotInfo for testing. Now the permissions that are needed to manage Autopilot identities are displayed in the screenshot below. You may create a custom role in Intune under Tenant administration>roles>Create>Intune role, give it a suitable name and assign the permissions found in the image below. Everything is found under the category enrollment programs. The permissions may even be more restricted to unselect Delete device and Assign profile, but I would create the role with these permissions so all tasks around Autopilot identities can be done.
