diff --git a/charts/kargo/templates/api/cluster-role.yaml b/charts/kargo/templates/api/cluster-role.yaml
index cf06717e7..7b982a304 100644
--- a/charts/kargo/templates/api/cluster-role.yaml
+++ b/charts/kargo/templates/api/cluster-role.yaml
@@ -100,6 +100,10 @@ rules:
       - "*"
 {{- end }}
 ---
+# This role is bound to the API server ServiceAccount and the kargo-admin
+# ServiceAccount in project namespaces as they are created. This dynamically
+# extends the API server's and any (global) admin's most sensitive permissions
+# on a per-namespace basis instead of granting them cluster-wide.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
diff --git a/charts/kargo/templates/users/cluster-roles.yaml b/charts/kargo/templates/users/cluster-roles.yaml
index 24fe1fa96..7b672d50c 100644
--- a/charts/kargo/templates/users/cluster-roles.yaml
+++ b/charts/kargo/templates/users/cluster-roles.yaml
@@ -10,22 +10,18 @@ rules:
   - ""
   resources:
   - events
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - ""
-  resources:
   - namespaces
+  # secrets permissions are granted dynamically at the project-level
+  - serviceaccounts # writes on serviceaccounts are granted dynamically at the project-level
   verbs:
   - get
   - list
   - watch
 - apiGroups:
-  - ""
+  - rbac.authorization.k8s.io
   resources:
-  - serviceaccounts
+  - rolebindings # writes on rolebindings are granted dynamically at the project-level
+  - roles # writes on roles are granted dynamically at the project-level
   verbs:
   - get
   - list
@@ -34,52 +30,49 @@ rules:
   - kargo.akuity.io
   resources:
   - freights
+  - projects
+  - stages
+  - warehouses
   verbs:
-  - delete
-  - get
-  - list
-  - patch
-  - watch
-- apiGroups:
-  - kargo.akuity.io
-  resources:
-  - freights/status
-  verbs:
-  - patch
-  - update
+  - "*" # full access to all mutable Kargo resource types
 - apiGroups:
   - kargo.akuity.io
   resources:
-  - projects
   - stages
-  - warehouses
   verbs:
-  - "*"
+  - promote # promotion permission for all stages
 - apiGroups:
   - kargo.akuity.io
   resources:
   - promotions
-  verbs:
+  verbs: # nearly full access to all promotions, but they are immutable
   - create
+  - delete
   - get
   - list
-  - patch
   - watch
-{{- if .Values.api.rollouts.integrationEnabled }}
 - apiGroups:
-  - argoproj.io
+  - kargo.akuity.io
   resources:
-  - analysistemplates
+  - freights/status
   verbs:
-  - "*"
+  - patch # for manual approvals
+{{- if .Values.api.rollouts.integrationEnabled }}
 - apiGroups:
   - argoproj.io
   resources:
   - analysisruns
-  verbs:
+  verbs: # view and delete analysisruns
+  - delete
   - get
   - list
   - watch
+- apiGroups:
+  - argoproj.io
+  resources:
+  - analysistemplates
+  verbs:
+  - "*" # full access to analysistemplates
 {{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
@@ -93,22 +86,17 @@ rules:
   - ""
   resources:
   - events
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - ""
-  resources:
   - namespaces
+  - serviceaccounts
   verbs:
   - get
   - list
   - watch
 - apiGroups:
-  - ""
+  - rbac.authorization.k8s.io
   resources:
-  - serviceaccounts
+  - rolebindings
+  - roles
   verbs:
   - get
   - list
@@ -126,18 +114,11 @@ rules:
   - list
   - watch
 {{- if .Values.api.rollouts.integrationEnabled }}
-- apiGroups:
-  - argoproj.io
-  resources:
-  - analysistemplates
-  verbs:
-  - get
-  - list
-  - watch
 - apiGroups:
   - argoproj.io
   resources:
   - analysisruns
+  - analysistemplates
   verbs:
   - get
   - list