Which roles can grant privileges on objects within a managed access schema? (Choose two.)