You are a cloud engineer responsible for assigning Azure roles to your team members. You're tasked with ensuring that the first user can view all resources in the subscription but only modify virtual machine (VM) resources. You also need to ensure that the second user can view and manage all resources, but only within a specific resource group. Which of the following role assignments would fulfill these requirements? (Choose three)