diff --git a/config/rbac/appstudio_api_permissions_role.yaml b/config/rbac/appstudio_api_permissions_role.yaml
new file mode 100644
index 00000000..5ae07c3e
--- /dev/null
+++ b/config/rbac/appstudio_api_permissions_role.yaml
@@ -0,0 +1,36 @@
+# permissions needed to apply appstudio templates.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: appstudio-api-permissions
+rules:
+- apiGroups:
+  - appstudio.redhat.com
+  - tekton.dev
+  - jvmbuildservice.io
+  resources:
+  - "*"
+  verbs:
+  # TODO fix after changing the ADR and associated appstudio teemplates
+  - "*"
+- apiGroups:
+  - managed-gitops.redhat.com
+  - results.tekton.dev
+  resources:
+  - "*"
+  verbs:
+  - get
+  - list
+  - watch
+  - update
+  - patch
+  - delete
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  - configmaps
+  verbs:
+  # TODO fix after changing the ADR and associated appstudio teemplates
+  - "*"
diff --git a/config/rbac/appstudio_api_permissions_rolebinding.yaml b/config/rbac/appstudio_api_permissions_rolebinding.yaml
new file mode 100644
index 00000000..037c8a00
--- /dev/null
+++ b/config/rbac/appstudio_api_permissions_rolebinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: appstudio-api-permissions
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: appstudio-api-permissions
+subjects:
+- kind: ServiceAccount
+  name: controller-manager
+  namespace: system
diff --git a/config/rbac/edit_role_binding.yaml b/config/rbac/edit_role_binding.yaml
new file mode 100644
index 00000000..8a22b409
--- /dev/null
+++ b/config/rbac/edit_role_binding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: edit-manager-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: edit
+subjects:
+- kind: ServiceAccount
+  name: controller-manager
+  namespace: system
diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
index c939e918..32ba69cd 100644
--- a/config/rbac/kustomization.yaml
+++ b/config/rbac/kustomization.yaml
@@ -7,6 +7,7 @@ resources:
 - service_account.yaml
 - role.yaml
 - role_binding.yaml
+- edit_role_binding.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
 - camel_k_role.yaml
@@ -20,3 +21,6 @@ resources:
 - auth_proxy_role.yaml
 - auth_proxy_role_binding.yaml
 - auth_proxy_client_clusterrole.yaml
+# Extra permissions for AppStudio tiers
+- appstudio_api_permissions_role.yaml
+- appstudio_api_permissions_rolebinding.yaml
diff --git a/controllers/memberstatus/memberstatus_controller.go b/controllers/memberstatus/memberstatus_controller.go
index c3661f7d..6d5ca302 100644
--- a/controllers/memberstatus/memberstatus_controller.go
+++ b/controllers/memberstatus/memberstatus_controller.go
@@ -68,7 +68,7 @@ type Reconciler struct {
 //+kubebuilder:rbac:groups=toolchain.dev.openshift.com,resources=memberstatuses/finalizers,verbs=update
 
 //+kubebuilder:rbac:groups="",resources=nodes,verbs=get;list;watch
-//+kubebuilder:rbac:groups=metrics.k8s.io,resources=*,verbs=get;list;watch
+//+kubebuilder:rbac:groups=metrics.k8s.io,resources=nodes,verbs=get;list;watch
 //+kubebuilder:rbac:groups=route.openshift.io,resources=routes,verbs=get;list;watch
 
 // Reconcile reads the state of toolchain member cluster components and updates the MemberStatus resource with information useful for observation or troubleshooting
diff --git a/controllers/nstemplateset/nstemplateset_controller.go b/controllers/nstemplateset/nstemplateset_controller.go
index 03647e70..5f77b085 100644
--- a/controllers/nstemplateset/nstemplateset_controller.go
+++ b/controllers/nstemplateset/nstemplateset_controller.go
@@ -89,9 +89,8 @@ type Reconciler struct {
 //+kubebuilder:rbac:groups=toolchain.dev.openshift.com,resources=nstemplatesets/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=toolchain.dev.openshift.com,resources=nstemplatesets/finalizers,verbs=update
 
-//+kubebuilder:rbac:groups="",resources=namespaces;limitranges,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups="",resources=namespaces;resourcequotas,verbs=get;list;watch;create;update;patch;delete
-//+kubebuilder:rbac:groups=rbac.authorization.k8s.io;authorization.openshift.io,resources=rolebindings;roles;clusterroles;clusterrolebindings,verbs=*
+//+kubebuilder:rbac:groups="",resources=namespaces;limitranges;resourcequotas;pods/exec,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups=rbac.authorization.k8s.io;authorization.openshift.io,resources=rolebindings;roles;clusterroles;clusterrolebindings,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=quota.openshift.io,resources=clusterresourcequotas,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=networking.k8s.io,resources=networkpolicies,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=appstudio.redhat.com,resources=environments,verbs=get;list;watch;create;update;delete