diff --git a/components/konflux-rbac/base/konflux-cron-sa-actions.yaml b/components/konflux-rbac/base/konflux-cron-sa-actions.yaml
new file mode 100644
index 00000000000..67e6113dfb0
--- /dev/null
+++ b/components/konflux-rbac/base/konflux-cron-sa-actions.yaml
@@ -0,0 +1,17 @@
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: konflux-cron-sa-actions
+  labels:
+    konflux-cluster-role: "true"
+rules:
+  - verbs:
+      - get
+      - list
+      - watch
+      - patch
+    apiGroups:
+      - appstudio.redhat.com
+    resources:
+      - snapshots 
\ No newline at end of file
diff --git a/components/konflux-rbac/base/kustomization.yaml b/components/konflux-rbac/base/kustomization.yaml
index fe979bde895..a98bcd8df88 100644
--- a/components/konflux-rbac/base/kustomization.yaml
+++ b/components/konflux-rbac/base/kustomization.yaml
@@ -3,3 +3,4 @@ kind: Kustomization
 resources:
 - appstudio-pipelines-runner.yaml
 - konflux-integration-runner.yaml
+- konflux-cron-sa-actions.yaml
diff --git a/components/policies/staging/base/konflux-rbac/bootstrap-tenant-namespace/bootstrap-tenant-namespace-np-konflux-cron-sa.yaml b/components/policies/staging/base/konflux-rbac/bootstrap-tenant-namespace/bootstrap-tenant-namespace-np-konflux-cron-sa.yaml
new file mode 100644
index 00000000000..43be7277d48
--- /dev/null
+++ b/components/policies/staging/base/konflux-rbac/bootstrap-tenant-namespace/bootstrap-tenant-namespace-np-konflux-cron-sa.yaml
@@ -0,0 +1,46 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: init-ns-cron-sa
+spec:
+  generateExisting: true
+  rules:
+    - name: generate-serviceaccount
+      match:
+        any:
+        - resources:
+            kinds:
+            - Namespace
+            selector:
+              matchLabels:
+                konflux-ci.dev/type: tenant
+      generate:
+        kind: ServiceAccount
+        apiVersion: v1
+        name: konflux-cron-sa
+        namespace: '{{request.object.metadata.name}}'
+        synchronize: true
+    - name: generate-snapshot-rolebinding
+      match:
+        any:
+        - resources:
+            kinds:
+            - Namespace
+            selector:
+              matchLabels:
+                konflux-ci.dev/type: tenant
+      generate:
+        kind: RoleBinding
+        apiVersion: rbac.authorization.k8s.io/v1
+        name: snapshot-access-binding
+        namespace: '{{request.object.metadata.name}}'
+        synchronize: true
+        data:
+          roleRef:
+            kind: ClusterRole
+            name: konflux-cron-sa-actions
+            apiGroup: rbac.authorization.k8s.io
+          subjects:
+            - kind: ServiceAccount
+              name: konflux-cron-sa
+              namespace: '{{request.object.metadata.name}}'