diff --git a/deployments/with-creds/ci/contributor-team-config.yml b/deployments/with-creds/ci/contributor-team-config.yml
new file mode 100644
index 0000000..8de0916
--- /dev/null
+++ b/deployments/with-creds/ci/contributor-team-config.yml
@@ -0,0 +1,8 @@
+# fly -t ci set-team -n contributor --config contributor-team-config.yml
+roles:
+- name: owner
+  github:
+    teams: ["concourse:pivotal"]
+- name: pipeline-operator
+  github:
+    teams: ["concourse:contributors"]
diff --git a/deployments/with-creds/ci/values.yaml b/deployments/with-creds/ci/values.yaml
index 188ba80..3d5ae40 100644
--- a/deployments/with-creds/ci/values.yaml
+++ b/deployments/with-creds/ci/values.yaml
@@ -87,6 +87,27 @@ concourse:
             team: concourse:Pivotal
         github:
           enabled: true
+      # so pipeline-operator ended up with two permissions
+      # - RerunJobBuild
+      # - CheckResource
+      # which will be granted to concourse:contributors for
+      # operating PR pipeline
+      configRBAC: |
+        member:
+        - AbortBuild
+        - CreateJobBuild
+        - PauseJob
+        - UnpauseJob
+        - ClearTaskCache
+        - UnpinResource
+        - SetPinCommentOnResource
+        - CheckResourceWebHook
+        - CheckResourceType
+        - EnableResourceVersion
+        - DisableResourceVersion
+        - PinResourceVersion
+        - PausePipeline
+        - UnpausePipeline
       bindPort: 80
       clusterName: ci
       containerPlacementStrategy: limit-active-tasks