NWBC authorization for Manage Password Self-Service

We are using GRC 10.0. I want to create a role for service desk users so that all they have access to in NWBC is "Manage Password Self-Service". This will allow them to unlock users who failed to provide their PSS answers correctly 3 times. I have looked everywhere and can't find anything. Also done traces but can't figure out what authorization object controls it. Any help would be appreciated.