diff --git a/component/main.jsonnet b/component/main.jsonnet
index 1672148..e133c26 100644
--- a/component/main.jsonnet
+++ b/component/main.jsonnet
@@ -19,6 +19,46 @@ local namespaceAnnotations = (
 
 local secrets = com.generateResources(params.secrets, function(name) com.namespaced(params.namespace, kube.Secret(name) + common.DefaultLabels));
 
+/**
+  * appuio-ns-provisioner role allows to create namespaces
+  */
+local appuioNsProvisionerRole = kube.ClusterRole('appuio-ns-provisioner') {
+  rules: [
+    {
+      apiGroups: [
+        '',
+      ],
+      resources: [
+        'namespaces',
+      ],
+      verbs: [
+        'create',
+      ],
+    },
+  ],
+};
+
+/**
+  * appuio-ns-provisioners cluster role binding allows authenticated users to create namespaces
+  */
+local appuioNsProvisionersRoleBinding = kube.ClusterRoleBinding('appuio-ns-provisioners') {
+  roleRef: {
+    apiGroup: 'rbac.authorization.k8s.io',
+    kind: 'ClusterRole',
+    name: 'appuio-ns-provisioner',
+  },
+  subjects: [
+    {
+      kind: 'Group',
+      name: 'system:authenticated:oauth',
+    },
+    {
+      kind: 'Group',
+      name: 'system:serviceaccounts',
+    },
+  ],
+};
+
 {
   '00_namespace': kube.Namespace(params.namespace) {
     metadata+: {
@@ -27,4 +67,8 @@ local secrets = com.generateResources(params.secrets, function(name) com.namespa
     },
   } + common.DefaultLabels,
   '00_secrets': secrets,
+
+  '01_appuio_ns_provisioner_role': appuioNsProvisionerRole + common.DefaultLabels,
+  '01_appuio_ns_provisioners_crb': appuioNsProvisionersRoleBinding + common.DefaultLabels,
+
 }
diff --git a/tests/golden/defaults/appuio-cloud/appuio-cloud/01_appuio_ns_provisioner_role.yaml b/tests/golden/defaults/appuio-cloud/appuio-cloud/01_appuio_ns_provisioner_role.yaml
new file mode 100644
index 0000000..aedc0af
--- /dev/null
+++ b/tests/golden/defaults/appuio-cloud/appuio-cloud/01_appuio_ns_provisioner_role.yaml
@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations: {}
+  labels:
+    app.kubernetes.io/component: appuio-cloud
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/name: appuio-cloud
+    name: appuio-ns-provisioner
+  name: appuio-ns-provisioner
+rules:
+  - apiGroups:
+      - ''
+    resources:
+      - namespaces
+    verbs:
+      - create
diff --git a/tests/golden/defaults/appuio-cloud/appuio-cloud/01_appuio_ns_provisioners_crb.yaml b/tests/golden/defaults/appuio-cloud/appuio-cloud/01_appuio_ns_provisioners_crb.yaml
new file mode 100644
index 0000000..bf490ec
--- /dev/null
+++ b/tests/golden/defaults/appuio-cloud/appuio-cloud/01_appuio_ns_provisioners_crb.yaml
@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  annotations: {}
+  labels:
+    app.kubernetes.io/component: appuio-cloud
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/name: appuio-cloud
+    name: appuio-ns-provisioners
+  name: appuio-ns-provisioners
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: appuio-ns-provisioner
+subjects:
+  - kind: Group
+    name: system:authenticated:oauth
+  - kind: Group
+    name: system:serviceaccounts