diff --git a/helm/flink-kubernetes-operator/templates/rbac/cluster_role.yaml b/helm/flink-kubernetes-operator/templates/rbac/cluster_role.yaml
index d101037f2..048cb7ae3 100644
--- a/helm/flink-kubernetes-operator/templates/rbac/cluster_role.yaml
+++ b/helm/flink-kubernetes-operator/templates/rbac/cluster_role.yaml
@@ -1,8 +1,7 @@
 {{- /*
 Licensed to the Apache Software Foundation (ASF) under one
 or more contributor license agreements.  See the NOTICE file
-distributed with this work for additional information
-regarding copyright ownership.  The ASF licenses this file
+distributed with this work for additional information regarding copyright ownership.  The ASF licenses this file
 to you under the Apache License, Version 2.0 (the
 "License"); you may not use this file except in compliance
 with the License.  You may obtain a copy of the License at
@@ -28,3 +27,57 @@ metadata:
 {{- template "flink-operator.rbacRules" $ }}
 {{- end }}
 {{- end }}
+
+{{- /*
+create user-facing role, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles for more information
+
+view need permission of object and object/status with verbs [get, list, watch]
+edit need permission of object with verbs [create, update, delete, patch, deletecollection]
+refer https://github.com/kubernetes/kubernetes/blob/release-1.34/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go#L111-L186
+*/ -}}
+{{- if and .Values.rbac.create .Values.rbac.userFacingRole.create }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: flink-operator-viewer-role
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+  - apiGroups:
+      - flink.apache.org
+    resources:
+      - flinkdeployments
+      - flinkdeployments/status
+      - flinksessionjobs
+      - flinksessionjobs/status
+      - flinkstatesnapshots
+      - flinkstatesnapshots/status
+      - flinkbluegreendeployments
+      - flinkbluegreendeployments/status
+    verbs:
+      - get
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: flink-operator-editor-role
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+rules:
+  - apiGroups:
+      - flink.apache.org
+    resources:
+      - flinkdeployments
+      - flinksessionjobs
+      - flinkstatesnapshots
+      - flinkbluegreendeployments
+    verbs:
+      - create
+      - update
+      - delete
+      - patch
+      - deletecollection
+{{- end }}
diff --git a/helm/flink-kubernetes-operator/values.yaml b/helm/flink-kubernetes-operator/values.yaml
index 497bcc712..99bfe325f 100644
--- a/helm/flink-kubernetes-operator/values.yaml
+++ b/helm/flink-kubernetes-operator/values.yaml
@@ -58,6 +58,9 @@ rbac:
   jobRoleBinding:
     create: true
     name: "flink-role-binding"
+  # create user-faceing roles for view/edit/admin, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
+  userFacingRole:
+    create: true
 
 operatorPod:
   priorityClassName: null