diff --git a/CHANGELOG.md b/CHANGELOG.md
index eeaa4f15..b6c0074d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+### Changed
+
+- Document Helm deployed RBAC permissions and remove unnecessary permissions ([#1020]).
+
+[#1020]: https://github.com/stackabletech/zookeeper-operator/pull/1020
+
 ## [26.3.0] - 2026-03-16
 
 ## [26.3.0-rc1] - 2026-03-16
diff --git a/deploy/helm/zookeeper-operator/templates/roles.yaml b/deploy/helm/zookeeper-operator/templates/clusterrole-operator.yaml
similarity index 64%
rename from deploy/helm/zookeeper-operator/templates/roles.yaml
rename to deploy/helm/zookeeper-operator/templates/clusterrole-operator.yaml
index 41907fd8..1c143961 100644
--- a/deploy/helm/zookeeper-operator/templates/roles.yaml
+++ b/deploy/helm/zookeeper-operator/templates/clusterrole-operator.yaml
@@ -6,13 +6,6 @@ metadata:
   labels:
   {{- include "operator.labels" . | nindent 4 }}
 rules:
-  - apiGroups:
-      - ""
-    resources:
-      - nodes
-    verbs:
-      - list
-      - watch
   # For automatic cluster domain detection
   - apiGroups:
       - ""
@@ -20,23 +13,35 @@ rules:
       - nodes/proxy
     verbs:
       - get
+  # Manage core workload resources created per ZookeeperCluster.
+  # All resources are applied via Server-Side Apply (create + patch) and tracked for
+  # orphan cleanup (list + delete).
   - apiGroups:
       - ""
     resources:
-      - pods
       - configmaps
-      - secrets
       - services
-      - endpoints
-      - serviceaccounts
     verbs:
       - create
       - delete
       - get
       - list
       - patch
-      - update
       - watch
+  # ServiceAccount created per ZookeeperCluster for workload pod identity.
+  # Applied via SSA and tracked for orphan cleanup.
+  - apiGroups:
+      - ""
+    resources:
+      - serviceaccounts
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+  # RoleBinding created per ZookeeperCluster to bind the product ClusterRole to the workload
+  # ServiceAccount. Applied via SSA and tracked for orphan cleanup.
   - apiGroups:
       - rbac.authorization.k8s.io
     resources:
@@ -47,8 +52,7 @@ rules:
       - get
       - list
       - patch
-      - update
-      - watch
+  # Required to bind the product ClusterRole to the per-cluster ServiceAccount.
   - apiGroups:
       - rbac.authorization.k8s.io
     resources:
@@ -57,30 +61,20 @@ rules:
       - bind
     resourceNames:
       - {{ include "operator.name" . }}-clusterrole
+  # StatefulSet created per role group. Applied via SSA, tracked for orphan cleanup,
+  # and owned by the controller.
   - apiGroups:
       - apps
     resources:
       - statefulsets
-    verbs:
-      - get
-      - create
-      - delete
-      - list
-      - patch
-      - update
-      - watch
-  - apiGroups:
-      - batch
-    resources:
-      - jobs
     verbs:
       - create
       - delete
       - get
       - list
       - patch
-      - update
       - watch
+  # PodDisruptionBudget created per role. Applied via SSA and tracked for orphan cleanup.
   - apiGroups:
       - policy
     resources:
@@ -91,23 +85,23 @@ rules:
       - get
       - list
       - patch
-      - update
-      - watch
+  # Required for maintaining the CRDs (including the conversion webhook certificate).
+  # Also required for the startup condition check.
   - apiGroups:
       - apiextensions.k8s.io
     resources:
       - customresourcedefinitions
     verbs:
-      - get
       # Required to maintain the CRD. The operator needs to do this, as it needs to enter e.g. it's
       # generated certificate in the conversion webhook.
       {{- if .Values.maintenance.customResourceDefinitions.maintain }}
       - create
       - patch
+      {{- end }}
       # Required for startup condition
       - list
       - watch
-      {{- end }}
+  # Read AuthenticationClass configuration referenced in the ZookeeperCluster spec.
   - apiGroups:
       - authentication.stackable.tech
     resources:
@@ -116,6 +110,7 @@ rules:
       - get
       - list
       - watch
+  # Required to report reconciliation results and warnings.
   - apiGroups:
       - events.k8s.io
     resources:
@@ -123,64 +118,43 @@ rules:
     verbs:
       - create
       - patch
+  # Listener created per role group for external access. Applied via SSA and tracked for
+  # orphan cleanup.
   - apiGroups:
       - listeners.stackable.tech
     resources:
       - listeners
     verbs:
+      - create
+      - delete
       - get
       - list
-      - watch
       - patch
-      - create
-      - delete
+  # Primary CRD: watched and read during reconciliation.
   - apiGroups:
       - {{ include "operator.name" . }}.stackable.tech
     resources:
       - {{ include "operator.name" . }}clusters
-      - {{ include "operator.name" . }}znodes
     verbs:
       - get
       - list
-      - patch
       - watch
+  # ZookeeperZnode CRD: watched and read during reconciliation.
+  # Patch is required to manage a finalizer for znode cleanup before deletion.
   - apiGroups:
       - {{ include "operator.name" . }}.stackable.tech
     resources:
-      - {{ include "operator.name" . }}clusters/status
-      - {{ include "operator.name" . }}znodes/status
-    verbs:
-      - patch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ include "operator.name" . }}-clusterrole
-  labels:
-  {{- include "operator.labels" . | nindent 4 }}
-rules:
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-      - secrets
-      - serviceaccounts
+      - {{ include "operator.name" . }}znodes
     verbs:
       - get
-  - apiGroups:
-      - events.k8s.io
-    resources:
-      - events
-    verbs:
-      - create
+      - list
       - patch
-{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
+      - watch
+  # Status subresource: updated at the end of every reconciliation.
   - apiGroups:
-      - security.openshift.io
+      - {{ include "operator.name" . }}.stackable.tech
     resources:
-      - securitycontextconstraints
-    resourceNames:
-      - nonroot-v2
+      - {{ include "operator.name" . }}clusters/status
+      - {{ include "operator.name" . }}znodes/status
     verbs:
-      - use
-{{ end }}
+      - patch
diff --git a/deploy/helm/zookeeper-operator/templates/clusterrole-product.yaml b/deploy/helm/zookeeper-operator/templates/clusterrole-product.yaml
new file mode 100644
index 00000000..963f56b0
--- /dev/null
+++ b/deploy/helm/zookeeper-operator/templates/clusterrole-product.yaml
@@ -0,0 +1,21 @@
+---
+# Product ClusterRole: bound (via per ZookeeperCluster RoleBinding) to the ServiceAccount that
+# ZooKeeper workload pods run as.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "operator.name" . }}-clusterrole
+  labels:
+  {{- include "operator.labels" . | nindent 4 }}
+rules:
+{{ if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
+  # Required on OpenShift to allow ZooKeeper pods to run as a non-root user.
+  - apiGroups:
+      - security.openshift.io
+    resources:
+      - securitycontextconstraints
+    resourceNames:
+      - nonroot-v2
+    verbs:
+      - use
+{{ end }}