diff --git a/config/rbac/admin_role.yaml b/config/rbac/admin_role.yaml
new file mode 100644
index 000000000..b4f4728ca
--- /dev/null
+++ b/config/rbac/admin_role.yaml
@@ -0,0 +1,22 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  name: clusterrole-admin
+  labels:
+    rbac.authorization.kubernetes.io/aggregate-to-admin: "true"
+rules:
+- apiGroups:
+  - quota.codeflare.dev
+  resources:
+  - quotasubtrees
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
diff --git a/config/rbac/editor_role.yaml b/config/rbac/editor_role.yaml
new file mode 100644
index 000000000..aa341297d
--- /dev/null
+++ b/config/rbac/editor_role.yaml
@@ -0,0 +1,24 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  name: clusterrole-edit
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+rules:
+- apiGroups:
+  - workload.codeflare.dev
+  resources:
+  - schedulingspecs
+  - appwrappers
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
index cdb307c82..a74a16f1d 100644
--- a/config/rbac/kustomization.yaml
+++ b/config/rbac/kustomization.yaml
@@ -4,6 +4,8 @@ resources:
 # if your manager will use a service account that exists at
 # runtime. Be sure to update RoleBinding and ClusterRoleBinding
 # subjects if changing service account names.
+- admin_role.yaml
+- editor_role.yaml
 - service_account.yaml
 - role.yaml
 - role_binding.yaml