Which two roles allow you to change roles of users in the cloud service?

The correct choice is the identity domain administrator role, as this role has comprehensive permissions related to user and access management within the cloud service. An identity domain administrator has the authority to manage user roles, which includes the ability to assign, modify, and revoke roles for users across the organization. This is essential for maintaining security and ensuring users have appropriate access to the service based on their responsibilities.

In contrast, the other roles have more limited permissions. The service administrator primarily manages service-specific settings and configurations but may not have the broad capabilities needed to alter user roles. The planner role is focused on the planning aspects, such as creating and managing financial plans, while the viewer role is even more restricted, allowing users only to view information without the ability to make any changes, including to user roles. Therefore, they lack the necessary permissions to manage user roles in the cloud service.