diff --git a/CHANGELOG.md b/CHANGELOG.md
index f4502480..73bdfca5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+### Changed
+
+- Document Helm deployed RBAC permissions and remove unnecessary permissions ([#693]).
+
+[#693]: https://github.com/stackabletech/secret-operator/pull/693
+
 ## [26.3.0] - 2026-03-16
 
 ## [26.3.0-rc1] - 2026-03-16
diff --git a/Cargo.nix b/Cargo.nix
index 41fb7218..c3518d07 100644
--- a/Cargo.nix
+++ b/Cargo.nix
@@ -5507,7 +5507,7 @@ rec {
         src = pkgs.fetchgit {
           url = "https://github.com/stackabletech/operator-rs.git";
           rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02";
-          sha256 = "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c";
+          sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2";
         };
         libName = "k8s_version";
         authors = [
@@ -11579,7 +11579,7 @@ rec {
         src = pkgs.fetchgit {
           url = "https://github.com/stackabletech/operator-rs.git";
           rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02";
-          sha256 = "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c";
+          sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2";
         };
         libName = "stackable_certs";
         authors = [
@@ -11765,7 +11765,7 @@ rec {
         src = pkgs.fetchgit {
           url = "https://github.com/stackabletech/operator-rs.git";
           rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02";
-          sha256 = "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c";
+          sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2";
         };
         libName = "stackable_operator";
         authors = [
@@ -11937,7 +11937,7 @@ rec {
         src = pkgs.fetchgit {
           url = "https://github.com/stackabletech/operator-rs.git";
           rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02";
-          sha256 = "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c";
+          sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2";
         };
         procMacro = true;
         libName = "stackable_operator_derive";
@@ -12272,7 +12272,7 @@ rec {
         src = pkgs.fetchgit {
           url = "https://github.com/stackabletech/operator-rs.git";
           rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02";
-          sha256 = "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c";
+          sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2";
         };
         libName = "stackable_shared";
         authors = [
@@ -12463,7 +12463,7 @@ rec {
         src = pkgs.fetchgit {
           url = "https://github.com/stackabletech/operator-rs.git";
           rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02";
-          sha256 = "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c";
+          sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2";
         };
         libName = "stackable_telemetry";
         authors = [
@@ -12573,7 +12573,7 @@ rec {
         src = pkgs.fetchgit {
           url = "https://github.com/stackabletech/operator-rs.git";
           rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02";
-          sha256 = "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c";
+          sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2";
         };
         libName = "stackable_versioned";
         authors = [
@@ -12617,7 +12617,7 @@ rec {
         src = pkgs.fetchgit {
           url = "https://github.com/stackabletech/operator-rs.git";
           rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02";
-          sha256 = "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c";
+          sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2";
         };
         procMacro = true;
         libName = "stackable_versioned_macros";
@@ -12685,7 +12685,7 @@ rec {
         src = pkgs.fetchgit {
           url = "https://github.com/stackabletech/operator-rs.git";
           rev = "7486017f60827d1d769d7bf17bf56adb21f8bb02";
-          sha256 = "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c";
+          sha256 = "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2";
         };
         libName = "stackable_webhook";
         authors = [
diff --git a/crate-hashes.json b/crate-hashes.json
index 4285dcd3..d0fa9a3c 100644
--- a/crate-hashes.json
+++ b/crate-hashes.json
@@ -6,15 +6,15 @@
   "git+https://github.com/kube-rs/kube-rs?rev=fe69cc486ff8e62a7da61d64ec3ebbd9e64c43b5#kube@3.0.1": "1irm4g79crlxjm3iqrgvx0f6wxdcj394ky84q89pk9i36y2mlw3n",
   "git+https://github.com/stackabletech/krb5-rs.git?tag=v0.1.0#krb5-sys@0.1.0": "148zr0q04163hpirkrff5q7cbxqgwzzxh0091zr4g23x7l64jh39",
   "git+https://github.com/stackabletech/krb5-rs.git?tag=v0.1.0#krb5@0.1.0": "148zr0q04163hpirkrff5q7cbxqgwzzxh0091zr4g23x7l64jh39",
-  "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#k8s-version@0.1.3": "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c",
-  "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-certs@0.4.0": "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c",
-  "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-operator-derive@0.3.1": "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c",
-  "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-operator@0.108.0": "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c",
-  "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-shared@0.1.0": "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c",
-  "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-telemetry@0.6.2": "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c",
-  "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-versioned-macros@0.8.3": "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c",
-  "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-versioned@0.8.3": "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c",
-  "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-webhook@0.9.0": "1yg7hbpgclp1zvfnhi4qkrwbgsa19v86plh77vqvwxzdxxxvxr4c",
+  "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#k8s-version@0.1.3": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2",
+  "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-certs@0.4.0": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2",
+  "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-operator-derive@0.3.1": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2",
+  "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-operator@0.108.0": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2",
+  "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-shared@0.1.0": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2",
+  "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-telemetry@0.6.2": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2",
+  "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-versioned-macros@0.8.3": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2",
+  "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-versioned@0.8.3": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2",
+  "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-operator-0.108.0#stackable-webhook@0.9.0": "1fgc7i8rhq1nl9m4s69sbfiywy2jx4narpynvm3g54vd5yd4c6m2",
   "git+https://github.com/stackabletech/operator-rs.git?tag=stackable-telemetry-0.6.1#stackable-telemetry@0.6.1": "0hiymhr40ix4jv9dmvp5d009xs6v0frvllr2xkf5mw43rcg44mgd",
   "git+https://github.com/stackabletech/product-config.git?tag=0.8.0#product-config@0.8.0": "1dz70kapm2wdqcr7ndyjji0lhsl98bsq95gnb2lw487wf6yr7987"
 }
\ No newline at end of file
diff --git a/deploy/helm/secret-operator/templates/roles.yaml b/deploy/helm/secret-operator/templates/roles.yaml
index 14970b11..b43ec121 100644
--- a/deploy/helm/secret-operator/templates/roles.yaml
+++ b/deploy/helm/secret-operator/templates/roles.yaml
@@ -43,22 +43,40 @@ metadata:
   labels:
   {{- include "operator.labels" . | nindent 4 }}
 rules:
-  # Required to maintain the CRD. The operator needs to do this, as it needs to enter e.g. it's
-  # generated certificate in the conversion webhook.
-  {{- if .Values.maintenance.customResourceDefinitions.maintain }}
+  # Required for maintaining the CRDs (including the conversion webhook configuration) and
+  # for the startup condition check.
   - apiGroups: [apiextensions.k8s.io]
     resources: [customresourcedefinitions]
     verbs:
+      {{- if .Values.maintenance.customResourceDefinitions.maintain }}
+      # Required to maintain the CRD (e.g. conversion webhook certificate).
       - create
       - patch
+      {{- end }}
       # Required for startup condition
       - list
       - watch
-  {{- end }}
+  # Secrets are read and written by multiple backends (autoTLS CA storage, Kerberos keytab,
+  # k8sSearch, cert-manager). The autoTLS backend uses replace (HTTP PUT) for CA entries,
+  # requiring the update verb in addition to SSA verbs. The truststore controller applies
+  # trust-store Secrets via SSA and watches them for changes.
   - apiGroups:
       - ""
     resources:
       - secrets
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - patch
+      - update
+  # Required by the external-provisioner sidecar, which still uses the legacy core/v1 events
+  # API (not events.k8s.io). See upstream RBAC:
+  # https://github.com/kubernetes-csi/external-provisioner/blob/v5.3.0/deploy/kubernetes/rbac.yaml
+  - apiGroups:
+      - ""
+    resources:
       - events
     verbs:
       - get
@@ -67,6 +85,8 @@ rules:
       - create
       - patch
       - update
+  # ConfigMaps are applied by the truststore controller via SSA and watched for changes.
+  # Also read by the autoTLS backend for trust roots and by the k8sSearch backend.
   - apiGroups:
       - ""
     resources:
@@ -77,6 +97,7 @@ rules:
       - get
       - watch
       - list
+  # PersistentVolumes are managed by the external-provisioner sidecar on behalf of the CSI driver.
   - apiGroups:
       - ""
     resources:
@@ -88,23 +109,29 @@ rules:
       - patch
       - create
       - delete
+  # Nodes are fetched to look up node IPs for certificate SANs. The external-provisioner
+  # sidecar lists and watches Nodes for CSI volume topology (--feature-gates=Topology=true).
+  # PersistentVolumeClaims are read by the CSI controller during CreateVolume to locate the
+  # owning Pod and resolve listener scope. The external-provisioner sidecar watches PVCs to
+  # trigger PV provisioning.
   - apiGroups:
       - ""
     resources:
-      - configmaps
       - nodes
       - persistentvolumeclaims
     verbs:
       - get
       - list
       - watch
-  # For automatic cluster domain detection
+  # For automatic cluster domain detection.
   - apiGroups:
       - ""
     resources:
       - nodes/proxy
     verbs:
       - get
+  # Required by the external-provisioner sidecar to discover driver topology keys (CSINodes)
+  # and determine volume binding mode (StorageClasses).
   - apiGroups:
       - storage.k8s.io
     resources:
@@ -114,6 +141,8 @@ rules:
       - get
       - list
       - watch
+  # Pods are read by the CSI driver to resolve secret scope. Patched with expiry annotations
+  # so the restarter can evict pods before their certificates expire.
   - apiGroups:
       - ""
     resources:
@@ -121,11 +150,13 @@ rules:
     verbs:
       - get
       - patch
+  # SecretClasses are the primary configuration CRD. Read by the CSI controller and the
+  # truststore controller. Watched to retrigger reconciliation when a SecretClass changes.
+  # The operator creates the default "tls" SecretClass at startup when CRD maintenance is enabled.
   - apiGroups:
       - secrets.stackable.tech
     resources:
       - secretclasses
-      - truststores
     verbs:
       {{- if .Values.maintenance.customResourceDefinitions.maintain }}
       - create
@@ -134,6 +165,16 @@ rules:
       - get
       - watch
       - list
+  # TrustStores are the primary reconciled resource in the truststore controller.
+  - apiGroups:
+      - secrets.stackable.tech
+    resources:
+      - truststores
+    verbs:
+      - get
+      - watch
+      - list
+  # Read during volume provisioning to resolve listener-scoped addresses for TLS SANs.
   - apiGroups:
       - listeners.stackable.tech
     resources:
@@ -142,6 +183,8 @@ rules:
       - podlisteners
     verbs:
       - get
+  # cert-manager Certificates are applied via SSA by the cert-manager backend when provisioning
+  # a certificate, and read back to check node affinity for scheduling decisions.
   - apiGroups:
       - cert-manager.io
     resources:
@@ -150,6 +193,7 @@ rules:
       - get
       - patch
       - create
+  # Publish reconciliation errors as Kubernetes Events.
   - apiGroups:
       - events.k8s.io
     resources:
@@ -158,6 +202,8 @@ rules:
       - create
       - patch
 {{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
+  # Required on OpenShift to allow the secret-operator pods to run with the custom SCC
+  # defined above (host-path volumes and bidirectional mount propagation for the CSI driver).
   - apiGroups:
       - security.openshift.io
     resourceNames: