diff --git a/manifests/40-rbac.yaml b/manifests/40-rbac.yaml
index a31bee6056..bbbb847c94 100644
--- a/manifests/40-rbac.yaml
+++ b/manifests/40-rbac.yaml
@@ -24,8 +24,17 @@ metadata:
 rules:
 # We own (the right to perform anything with) tuned.openshift.io
 - apiGroups: ["tuned.openshift.io"]
-  resources: ["*"]
-  verbs: ["*"]
+  resources: ["tuneds"]
+  verbs: ["create","get","delete","list","update","watch","patch"]
+- apiGroups: ["tuned.openshift.io"]
+  resources: ["tuneds/finalizers"]
+  verbs: ["update"]
+- apiGroups: ["tuned.openshift.io"]
+  resources: ["profiles"]
+  verbs: ["create","get","delete","list","update","watch","patch"]
+- apiGroups: ["tuned.openshift.io"]
+  resources: ["profiles/finalizers"]
+  verbs: ["update"]
 # The operator oversees tuned daemonset.  It even needs to be able
 # to delete it when the operator is put into "Removed" state.
 - apiGroups: ["apps"]
@@ -128,8 +137,11 @@ metadata:
   name: cluster-node-tuning:tuned
 rules:
 - apiGroups: ["tuned.openshift.io"]
-  resources: ["*"]
-  verbs: ["*"]
+  resources: ["tuneds"]
+  verbs: ["get","list","watch"]
+- apiGroups: ["tuned.openshift.io"]
+  resources: ["profiles"]
+  verbs: ["get","list","update","watch","patch"]
 - apiGroups: ["security.openshift.io"]
   resources: ["securitycontextconstraints"]
   verbs: ["use"]