We've been looking into this and can confirm you will be able to use roles other than 'tmc:admin' or 'tmc:member' to give access to specific resources. I believe this scenario would've worked if you had added the 'Organization Administrator' group to the 'organization.credential.view' role binding or some other 'organization.*' role.

Please try this after we GA a release with support for CSE 4.1 and let us know if you run into issues.