On Version 14.3 after following the instructions below, the existing accounts and groups entitlements appear; but users are unable to add/search/remove group entitlements for their own accounts. The 'imadmin' user can manage groups for users.
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-portal/14-5/administrating/identity-portal-administration/about-modules/create-direct-endpoints.html
Release : 14.x
Component : CA IDENTITY SUITE
Modify scoping on Self Manager admin role in IDM as follows:
On the Tasks tab, add the "Modify Active Directory Account" task.
On the Members tab, edit the Member Rule to include Active Directory Group objects with a scope rule of "(all)" and Active Directory Account objects with a scope rule that will allow them to modify only their own accounts, for example the rule "where Account Name = admin's Login Id".