These permissions are required on the CA by the user account running Intel SCS component doing the configuration:
For an Enterprise root CA you also need to grant this user account the Read and Enroll permissions on the templates you want to select in the configuration profiles.