diff --git a/.github/workflows/publish-helm-chart.yaml b/.github/workflows/publish-helm-chart.yaml
index 9f66aef..bdcb833 100644
--- a/.github/workflows/publish-helm-chart.yaml
+++ b/.github/workflows/publish-helm-chart.yaml
@@ -3,6 +3,7 @@ on:
   push:
     branches:
       - main
+      - helm-chart-rbac
     paths:
       - 'helm/**'
 
diff --git a/helm/osko/templates/osko_mimirrule_editor_role.yaml b/helm/osko/templates/osko_mimirrule_editor_role.yaml
new file mode 100644
index 0000000..2b2a83b
--- /dev/null
+++ b/helm/osko/templates/osko_mimirrule_editor_role.yaml
@@ -0,0 +1,26 @@
+# permissions for end users to edit mimirrules.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    {{ include "osko.labels" . | nindent 4 }}
+  name: {{ .Release.Name }}-mimirrule-editor-role
+rules:
+- apiGroups:
+  - osko.dev
+  resources:
+  - mimirrules
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - osko.dev
+  resources:
+  - mimirrules/status
+  verbs:
+  - get
diff --git a/helm/osko/templates/osko_mimirrule_viewer_role.yaml b/helm/osko/templates/osko_mimirrule_viewer_role.yaml
new file mode 100644
index 0000000..24feeab
--- /dev/null
+++ b/helm/osko/templates/osko_mimirrule_viewer_role.yaml
@@ -0,0 +1,22 @@
+# permissions for end users to view mimirrules.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    {{ include "osko.labels" . | nindent 4 }}
+  name: {{ .Release.Name }}-mimirrule-viewer-role
+rules:
+- apiGroups:
+  - osko.dev
+  resources:
+  - mimirrules
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - osko.dev
+  resources:
+  - mimirrules/status
+  verbs:
+  - get