Logins that have this role can:
* execute sp_showplan
* kill processes of logins that do not have sa_role
* execute dbcc sqltext

Beside this recommendation, I have found that the need to have sa_role to
execute sp_addexternlogin to be a rather strict limitation. Why isn't
sso_role enough??? My 2nd recommendation would be to remove the need for
sa_role to execute sp_addexternlogin/sp_dropexternlogin. The execution of
these procs should fall under the responsibility of the sso_role