vRO javascript issue/question on how to add a Fabric Administrator to an existing Fabric Group

Hi.  While automating a new tenant setup I’m having issues trying to add a Fabric Administrator to an existing Fabric Group in a vRealize Orchestrator script (javascript).  I’ve included the code I’m executing below.  I’m able to update the Scope to include the scope ID for the Fabric group, but I’m having trouble adding existing users.  I'm trying to add an existing user to the fabric group as a fabric administrator using the AuthorizationPrincipalService.  I'm not sure if I should use "SetRoles" or "setScopeRoles" and then call "createOrUpdatePrincipalExtension".  Or if I should use "addScopeRole" or something else completely different. From the help, addScopeRole would take the tenant, principleId, ScopeID (the fabric group), and the roleId (I don't know what the role ID is for a fabric admin).  Any help is greatly appreciated.  Thanks in advance.

var currTenant = "TestTenant"

// Get Fabric Group Scope ID

var fabricGroup = System.getModule("com.vmware.library.vcac").getEnterpriseAdminGroupEntityByName(host, "LabTenant-FG") ;

var fabricGroupScopeID = fabricGroup.getProperty('EnterpriseAdminID');

var scopeService = cafeHost.createAuthorizationClient().getAuthorizationScopeService(); 

// Add Fabric Group

System.log("Adding Fabric Group to Tenant");

var newScope = new vCACCAFEScope();

newScope.setId(fabricGroup.getProperty('EnterpriseAdminID'));

newScope.setTenant(currTenant);

newScope.setName(fabricGroup.getProperty('AdminName'));

// Scope Type

var newScopeType = new vCACCAFEScopeType();

newScopeType.setId("CSP_SUBTENANT");  // I looked this up on an existing tenant that was manually setup in vra

// Update newScope's scope type

newScope.setScopeType(newScopeType);

// Update Scope

scopeService.createOrUpdateScope(currTenant,  newScope);

var authorPrincipalSvc  = cafeHost.createAuthorizationClient().getAuthorizationPrincipalService();

/* This next step I'm trying to add the existing user to the fabric group as a fabric administrator using the AuthorizationPrincipalService.  I'm not sure if I should use "SetRoles" or "setScopeRoles" and then call "createOrUpdatePrincipalExtension".  Or if I should use "addScopeRole" or something else. From the help, addScopeRole would take the tenant, principleId, ScopeID (the fabric group), and the roleId (I don't know what the role ID is for a fabric admin)  */

var authRoles = authorPrincipalSvc.addScopeRole(currTenant,"TestUser@vsphere.local", fabricGroupScopeID, "????");