diff --git a/config/services/quota/iam/kustomization.yaml b/config/services/quota/iam/kustomization.yaml
index 678a5728..7d7d9424 100644
--- a/config/services/quota/iam/kustomization.yaml
+++ b/config/services/quota/iam/kustomization.yaml
@@ -4,3 +4,4 @@ kind: Component
 components:
   - protected-resources
   - roles
+  - policies
diff --git a/config/services/quota/iam/policies/authenticated-user-resource-registration-read.yaml b/config/services/quota/iam/policies/authenticated-user-resource-registration-read.yaml
new file mode 100644
index 00000000..c89d3b6a
--- /dev/null
+++ b/config/services/quota/iam/policies/authenticated-user-resource-registration-read.yaml
@@ -0,0 +1,14 @@
+apiVersion: iam.miloapis.com/v1alpha1
+kind: PolicyBinding
+metadata:
+  name: authenticated-user-resource-registration-read
+spec:
+  roleRef:
+    name: quota.miloapis.com-resource-registration-viewer
+  subjects:
+    - kind: Group
+      name: "system:authenticated"
+  resourceSelector:
+    resourceKind:
+      apiGroup: "quota.miloapis.com"
+      kind: ResourceRegistration
diff --git a/config/services/quota/iam/policies/kustomization.yaml b/config/services/quota/iam/policies/kustomization.yaml
new file mode 100644
index 00000000..101d479d
--- /dev/null
+++ b/config/services/quota/iam/policies/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+configurations:
+  - kustomizeconfig.yaml
+
+resources:
+  - authenticated-user-resource-registration-read.yaml
diff --git a/config/services/quota/iam/policies/kustomizeconfig.yaml b/config/services/quota/iam/policies/kustomizeconfig.yaml
new file mode 100644
index 00000000..94afa758
--- /dev/null
+++ b/config/services/quota/iam/policies/kustomizeconfig.yaml
@@ -0,0 +1,5 @@
+namespace:
+- kind: PolicyBinding
+  group: iam.miloapis.com
+  path: spec/roleRef/namespace
+  create: true
diff --git a/config/services/quota/iam/roles/feature-flag-viewer.yaml b/config/services/quota/iam/roles/feature-flag-viewer.yaml
new file mode 100644
index 00000000..938fa3de
--- /dev/null
+++ b/config/services/quota/iam/roles/feature-flag-viewer.yaml
@@ -0,0 +1,17 @@
+apiVersion: iam.miloapis.com/v1alpha1
+kind: Role
+metadata:
+  name: quota.miloapis.com-resource-registration-viewer
+  namespace: milo-system
+  annotations:
+    kubernetes.io/display-name: Resource Registration Viewer
+    kubernetes.io/description: View access to the ResourceRegistration catalog (feature flags, entities, allocations)
+  labels:
+    quota.miloapis.com/role-type: viewer
+    quota.miloapis.com/service: quota
+spec:
+  launchStage: Beta
+  includedPermissions:
+    - quota.miloapis.com/resourceregistrations.get
+    - quota.miloapis.com/resourceregistrations.list
+    - quota.miloapis.com/resourceregistrations.watch
diff --git a/config/services/quota/iam/roles/kustomization.yaml b/config/services/quota/iam/roles/kustomization.yaml
index 98938e6a..b2c602e4 100644
--- a/config/services/quota/iam/roles/kustomization.yaml
+++ b/config/services/quota/iam/roles/kustomization.yaml
@@ -7,3 +7,4 @@ resources:
   - quota-viewer.yaml
   - quota-operator.yaml
   - organization-quota-manager.yaml
+  - feature-flag-viewer.yaml