diff --git a/sdlf-cicd/template-cicd-child-foundations.yaml b/sdlf-cicd/template-cicd-child-foundations.yaml
index 4885ec90..4edaaffe 100644
--- a/sdlf-cicd/template-cicd-child-foundations.yaml
+++ b/sdlf-cicd/template-cicd-child-foundations.yaml
@@ -200,6 +200,7 @@ Resources:
                   - iam:UntagRole
                   - iam:UpdateRole
                   - iam:UpdateRoleDescription
+                  - iam:UpdateAssumeRolePolicy # so we can update the management account access
               - Resource: !Sub arn:aws:iam::${AWS::AccountId}:policy/sdlf-*
                 Effect: Allow
                 Action:
@@ -209,6 +210,16 @@ Resources:
                   - iam:DeletePolicyVersion
                   - iam:GetPolicy
                   - iam:GetPolicyVersion
+              - Resource: !Sub arn:aws:iam::${AWS::AccountId}:group/sdlf-*
+                Effect: Allow
+                Action:
+                  - iam:CreateGroup
+                  - iam:DeleteGroup
+                  - iam:GetGroup*
+                  - iam:AttachGroupPolicy
+                  - iam:PutGroupPolicy
+                  - iam:DeleteGroupPolicy
+                  - iam:DetachGroupPolicy
               - Resource: "*"
                 Effect: "Allow"
                 Action: lambda:ListFunctions