diff --git a/config/200-clusterrole.yaml b/config/200-clusterrole.yaml
index dc2969f6..44979294 100644
--- a/config/200-clusterrole.yaml
+++ b/config/200-clusterrole.yaml
@@ -9,6 +9,8 @@ metadata:
     bindings.labs.vmware.com/release: devel
 aggregationRule:
   clusterRoleSelectors:
+  - matchLabels:
+      bindings.labs.vmware.com/admin: "true"
   - matchLabels:
       servicebinding.io/controller: "true"
   # legacy support
@@ -22,7 +24,7 @@ metadata:
   name: service-binding-core
   labels:
     bindings.labs.vmware.com/release: devel
-    servicebinding.io/controller: "true"
+    bindings.labs.vmware.com/admin: "true"
 rules:
   - apiGroups: [""]
     resources: ["configmaps", "services", "secrets", "events", "namespaces"]
@@ -46,7 +48,7 @@ metadata:
   name: service-binding-crd
   labels:
     bindings.labs.vmware.com/release: devel
-    servicebinding.io/controller: "true"
+    bindings.labs.vmware.com/admin: "true"
 rules:
   - apiGroups: ["servicebinding.io"]
     resources: ["*"]
@@ -100,3 +102,14 @@ rules:
 - apiGroups: ["servicebinding.io"]
   resources: ["servicebindings"]
   verbs: ["get","list","watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: service-binding-provisioned-services
+  labels:
+    servicebinding.io/controller: "true"
+rules:
+- apiGroups: ["bindings.labs.vmware.com"]
+  resources: ["provisionedservices"]
+  verbs: ["get","list","watch"]