CloudBees Previews creates a separate ServiceAccount within each preview Namespace, and uses it to deploy or undeploy user-defined manifests into that Namespace.
User permissions within a preview Namespace are defined by a globally configured ClusterRole bound to the preview’s ServiceAccount (deployer-sa), and scoped to its Namespace using a RoleBinding.
If the default ClusterRole (<RELEASE_NAME>-deployer-childns-clusterrole) does not meet your requirements, you can manage your own ClusterRole separately and assign its name to the Helm chart value operator.deployer.clusterRole.
Refer to CloudBees Previews Helm chart values for more information.