diff --git a/helm/flowfuse/templates/service-account.yaml b/helm/flowfuse/templates/service-account.yaml
index 19712029..7274671b 100644
--- a/helm/flowfuse/templates/service-account.yaml
+++ b/helm/flowfuse/templates/service-account.yaml
@@ -30,11 +30,11 @@ metadata:
   {{- end }}
 
 ---
-
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
   name: {{ ((.Values.forge).clusterRole).name | default "create-pod" }}
+  namespace: {{ .Values.forge.projectNamespace | default "flowforge" }}
   labels:
   {{- include "forge.labels" . | nindent 4 }}
 rules:
@@ -45,7 +45,7 @@ rules:
   resources: ["deployments", "deployment/status"]
   verbs: ["create", "patch", "get", "list", "update", "watch", "delete"]
 - apiGroups: [""]
-  resources: ["persistentvolumes", "persistentvolumeclaims"]
+  resources: ["persistentvolumeclaims"]
   verbs: ["create", "patch", "get", "list", "watch", "delete"] 
 - apiGroups: [""]
   resources: ["services"]
@@ -63,8 +63,8 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name:  {{ ((.Values.forge).clusterRole).name | default "create-pod" }}
-  namespace: {{ .Values.forge.projectNamespace }}
+  name:  {{ ((.Values.forge).clusterRole).name | default "create-pod" }}-limited
+  namespace: {{ .Values.forge.projectNamespace | default "flowforge" }}
   labels:
   {{- include "forge.labels" . | nindent 4 }}
 subjects:
@@ -72,6 +72,6 @@ subjects:
   name: flowforge
   namespace: {{ .Release.Namespace }}
 roleRef:
-  kind: ClusterRole
+  kind: Role
   name:  {{ ((.Values.forge).clusterRole).name | default "create-pod" }}
   apiGroup: rbac.authorization.k8s.io