Invalid user role for Deploy CanNotDelete Resource Lock on Resource Groups

[spaelling]

The RBAC role defined is User Access Administrator which cannot create deployments, hence it is unable to remediate. Remediation task fails with

Evaluation of DeployIfNotExists policy was unsuccessful. The policy assignment '/subscriptions/aaa-bbb-ccc/providers/Microsoft.Authorization/policyAssignments/e65827dd3f024df49258e094' resource identity does not have the necessary permissions to create deployment '/subscriptions/aaa-bbb-ccc/resourceGroups/rg-rapid7-mdfc-export/providers/Microsoft.Resources/deployments/PolicyDeployment_9819806381472915206'. Please see https://aka.ms/arm-policy-identity for usage details.

Could change to ex. Contributor.