On Version 14.3 after following the instructions below, the existing accounts and groups entitlements appear; but users are unable to add/search/remove group entitlements for their own accounts.  The 'imadmin' user can manage groups for users.

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-portal/14-5/administrating/identity-portal-administration/about-modules/create-direct-endpoints.html

Release : 14.x

Component : CA IDENTITY SUITE

Modify scoping on Self Manager admin role in IDM as follows:

On the Tasks tab, add the "Modify Active Directory Account" task.

On the Members tab, edit the Member Rule to include Active Directory Group objects with a scope rule of "(all)" and Active Directory Account objects with a scope rule that will allow them to modify only their own accounts, for example the rule "where Account Name = admin's Login Id".