diff --git a/jsonnet/kube-prometheus/addons/user-facing-roles.libsonnet b/jsonnet/kube-prometheus/addons/user-facing-roles.libsonnet
new file mode 100644
index 0000000000000000000000000000000000000000..423db89653eb280a813f8d07fd52043f75d0e30b
--- /dev/null
+++ b/jsonnet/kube-prometheus/addons/user-facing-roles.libsonnet
@@ -0,0 +1,67 @@
+// user facing roles for monitors, probe, and rules
+// ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
+{
+  prometheusOperator+: {
+    local po = self,
+    clusterRoleView: {
+      apiVersion: 'rbac.authorization.k8s.io/v1',
+      kind: 'ClusterRole',
+      metadata: po._metadata {
+        name: 'monitoring-view',
+        namespace:: null,
+        labels+: {
+          'rbac.authorization.k8s.io/aggregate-to-view': 'true',
+        },
+      },
+      rules: [
+        {
+          apiGroups: [
+            'monitoring.coreos.com',
+          ],
+          resources: [
+            'podmonitors',
+            'probes',
+            'prometheusrules',
+            'servicemonitors',
+          ],
+          verbs: [
+            'get',
+            'list',
+            'watch',
+          ],
+        },
+      ],
+    },
+    clusterRoleEdit: {
+      apiVersion: 'rbac.authorization.k8s.io/v1',
+      kind: 'ClusterRole',
+      metadata: po._metadata {
+        name: 'monitoring-edit',
+        namespace:: null,
+        labels+: {
+          'rbac.authorization.k8s.io/aggregate-to-edit': 'true',
+        },
+      },
+      rules: [
+        {
+          apiGroups: [
+            'monitoring.coreos.com',
+          ],
+          resources: [
+            'podmonitors',
+            'probes',
+            'prometheusrules',
+            'servicemonitors',
+          ],
+          verbs: [
+            'create',
+            'delete',
+            'deletecollection',
+            'patch',
+            'update',
+          ],
+        },
+      ],
+    },
+  },
+}