diff --git a/config/internal/mcad/clusterrole_mcad-controller.yaml.tmpl b/config/internal/mcad/clusterrole_mcad-controller.yaml.tmpl
index 49dfe097a..8812cfc34 100644
--- a/config/internal/mcad/clusterrole_mcad-controller.yaml.tmpl
+++ b/config/internal/mcad/clusterrole_mcad-controller.yaml.tmpl
@@ -11,10 +11,12 @@ metadata:
     codeflare.codeflare.dev/cr-namespace: {{.Namespace}}
 rules:
   - apiGroups:
+      - quota.codeflare.dev
       - workload.codeflare.dev
     resources:
       - queuejobs
       - schedulingspecs
+      - quotasubtrees
       - appwrappers
       - appwrappers/finalizers
       - appwrappers/status
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 691c9dfb4..a2cc83f90 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -270,6 +270,25 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - quota.codeflare.dev
+  - workload.codeflare.dev
+  resources:
+  - appwrappers
+  - appwrappers/finalizers
+  - appwrappers/status
+  - queuejobs
+  - quotasubtrees
+  - schedulingspecs
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:
@@ -318,20 +337,3 @@ rules:
   - get
   - list
   - watch
-- apiGroups:
-  - workload.codeflare.dev
-  resources:
-  - appwrappers
-  - appwrappers/finalizers
-  - appwrappers/status
-  - queuejobs
-  - schedulingspecs
-  verbs:
-  - create
-  - delete
-  - deletecollection
-  - get
-  - list
-  - patch
-  - update
-  - watch
diff --git a/controllers/mcad_controller.go b/controllers/mcad_controller.go
index 9dfecc24a..ce32f08bd 100644
--- a/controllers/mcad_controller.go
+++ b/controllers/mcad_controller.go
@@ -102,7 +102,7 @@ func (r *MCADReconciler) DeleteResource(params *MCADParams, template string, fns
 // +kubebuilder:rbac:groups=codeflare.codeflare.dev,resources=mcads,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=codeflare.codeflare.dev,resources=mcads/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=codeflare.codeflare.dev,resources=mcads/finalizers,verbs=update
-// +kubebuilder:rbac:groups=workload.codeflare.dev,resources=queuejobs;schedulingspecs;appwrappers;appwrappers/finalizers;appwrappers/status,verbs=get;list;watch;create;update;patch;delete;deletecollection
+// +kubebuilder:rbac:groups=workload.codeflare.dev;quota.codeflare.dev,resources=queuejobs;schedulingspecs;appwrappers;appwrappers/finalizers;appwrappers/status;quotasubtrees,verbs=get;list;watch;create;update;patch;delete;deletecollection
 // +kubebuilder:rbac:groups=core,resources=pods;lists;namespaces,verbs=get;list;watch;create;update;patch;delete;deletecollection
 // +kubebuilder:rbac:groups=core,resources=bindings;pods/binding,verbs=create
 // +kubebuilder:rbac:groups=core,resources=kube-scheduler,verbs=get;update