Describe required permissions to deploy catalog apps

content/rancher/v2.x/en/catalog/_index.md

@@ -17,6 +17,7 @@ Rancher improves on Helm catalogs and charts. All native Helm charts can work wi
 
 This section covers the following topics:
 
+- [Prerequisites](#prerequisites)
 - [Catalog scopes](#catalog-scopes)
 - [Enabling built-in global catalogs](#enabling-built-in-global-catalogs)
 - [Adding custom global catalogs](#adding-custom-global-catalogs)
@@ -29,6 +30,15 @@ This section covers the following topics:
   - [Global DNS](#global-dns)
   - [Chart compatibility with Rancher](#chart-compatibility-with-rancher)
 
+# Prerequisites
+
+When Rancher deploys a catalog app, it launches an ephemeral instance of a Helm service account that has the permissions of the user deploying the catalog app. Therefore, a user cannot gain more access to the cluster through Helm or a catalog application than they otherwise would have.
+
+To launch a catalog app or a multi-cluster app, you should have at least one of the following permissions:
+
+- A [project-member role]({{<baseurl>}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) in the target cluster, which gives you the ability to create, read, update, and delete the workloads
+- A [cluster owner role]({{<baseurl>}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles) for the cluster that include the target project
+
 # Catalog Scopes
 
 Within Rancher, you can manage catalogs at three different scopes. Global catalogs are shared across all clusters and project. There are some use cases where you might not want to share catalogs across between different clusters or even projects in the same cluster. By leveraging cluster and project scoped catalogs, you will be able to provide applications for specific teams without needing to share them with all clusters and/or projects.

content/rancher/v2.x/en/catalog/apps/_index.md

@@ -7,6 +7,13 @@ Within a project, when you want to deploy applications from catalogs, the applic
 
 If your application is using ingresses, you can program the ingress hostname to an external DNS by setting up a [Global DNS entry]({{< baseurl >}}/rancher/v2.x/en/catalog/globaldns/).
 
+## Prerequisites
+
+To create a multi-cluster app in Rancher, you must have at least one of the following permissions:
+
+- A [project-member role]({{<baseurl>}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) in the target cluster, which gives you the ability to create, read, update, and delete the workloads
+- A [cluster owner role]({{<baseurl>}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles) for the cluster that include the target project
+
 ## Launching Catalog Applications
 
 After you've either enabled the [built-in global catalogs]({{< baseurl >}}/rancher/v2.x/en/catalog/built-in/) or [added your own custom catalog]({{< baseurl >}}/rancher/v2.x/en/catalog/custom/adding), you can start launching catalog applications.

content/rancher/v2.x/en/catalog/multi-cluster-apps/_index.md

@@ -10,6 +10,13 @@ Any Helm charts from a [global catalog]({{< baseurl >}}/rancher/v2.x/en/catalog/
 
 After creating a multi-cluster application, you can program a [Global DNS entry]({{< baseurl >}}/rancher/v2.x/en/catalog/globaldns/) to make it easier to access the application.
 
+# Prerequisites
+
+To create a multi-cluster app in Rancher, you must have at least one of the following permissions:
+
+- A [project-member role]({{<baseurl>}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#project-roles) in the target cluster(s), which gives you the ability to create, read, update, and delete the workloads
+- A [cluster owner role]({{<baseurl>}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/#cluster-roles) for the clusters(s) that include the target project(s)
+
 ## Launching a Multi-Cluster App
 
 1. From the **Global** view, choose **Apps** in the navigation bar. Click **Launch**.