diff --git a/config/200-clusterrole.yaml b/config/200-clusterrole.yaml
index dc2969f6..c8dbc7d4 100644
--- a/config/200-clusterrole.yaml
+++ b/config/200-clusterrole.yaml
@@ -10,7 +10,7 @@ metadata:
 aggregationRule:
   clusterRoleSelectors:
   - matchLabels:
-      servicebinding.io/controller: "true"
+      bindings.labs.vmware.com/admin: "true"
   # legacy support
   - matchLabels:
       service.binding/controller: "true"
@@ -22,7 +22,7 @@ metadata:
   name: service-binding-core
   labels:
     bindings.labs.vmware.com/release: devel
-    servicebinding.io/controller: "true"
+    bindings.labs.vmware.com/admin: "true"
 rules:
   - apiGroups: [""]
     resources: ["configmaps", "services", "secrets", "events", "namespaces"]
@@ -46,7 +46,7 @@ metadata:
   name: service-binding-crd
   labels:
     bindings.labs.vmware.com/release: devel
-    servicebinding.io/controller: "true"
+    bindings.labs.vmware.com/admin: "true"
 rules:
   - apiGroups: ["servicebinding.io"]
     resources: ["*"]
@@ -100,3 +100,14 @@ rules:
 - apiGroups: ["servicebinding.io"]
   resources: ["servicebindings"]
   verbs: ["get","list","watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: service-binding-provisioned-service
+  labels:
+    servicebinding.io/controller: "true"
+rules:
+- apiGroups: ["bindings.labs.vmware.com"]
+  resources: ["*"]
+  verbs: ["get","list","watch"]
diff --git a/config/201-clusterrolebinding.yaml b/config/201-clusterrolebinding.yaml
index 7c034639..5a5357ca 100644
--- a/config/201-clusterrolebinding.yaml
+++ b/config/201-clusterrolebinding.yaml
@@ -7,6 +7,7 @@ metadata:
   name: service-binding-controller-admin
   labels:
     bindings.labs.vmware.com/release: devel
+    bindings.labs.vmware.com/admin: "true"
 subjects:
   - kind: ServiceAccount
     name: controller