diff --git a/config/200-controller-clusterrole.yaml b/config/200-controller-clusterrole.yaml
index 507b393a8d3..72a5a69ddfd 100644
--- a/config/200-controller-clusterrole.yaml
+++ b/config/200-controller-clusterrole.yaml
@@ -94,21 +94,6 @@ rules:
     verbs:
       - "update"
 
-  # Source resources and statuses we care about.
-  - apiGroups:
-      - "sources.eventing.knative.dev"
-    resources:
-      - "cronjobsources"
-      - "cronjobsources/status"
-      - "cronjobsources/finalizers"
-      - "containersources"
-      - "containersources/status"
-      - "containersources/finalizers"
-      - "apiserversources"
-      - "apiserversources/status"
-      - "apiserversources/finalizers"
-    verbs: *everything
-
   # The subscription controller needs to retrieve and watch CustomResourceDefinitions.
   - apiGroups:
       - "apiextensions.k8s.io"
diff --git a/config/200-serviceaccount.yaml b/config/200-serviceaccount.yaml
index f611ef72427..f4b143df780 100644
--- a/config/200-serviceaccount.yaml
+++ b/config/200-serviceaccount.yaml
@@ -27,3 +27,11 @@ metadata:
   namespace: knative-eventing
   labels:
     eventing.knative.dev/release: devel
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: eventing-source-controller
+  namespace: knative-eventing
+  labels:
+    eventing.knative.dev/release: devel
diff --git a/config/200-sourcecontroller-clusterrole.yaml b/config/200-sourcecontroller-clusterrole.yaml
new file mode 100644
index 00000000000..be0b0be9510
--- /dev/null
+++ b/config/200-sourcecontroller-clusterrole.yaml
@@ -0,0 +1,78 @@
+# Copyright 2019 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: knative-eventing-source-controller
+  labels:
+    eventing.knative.dev/release: devel
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - "secrets"
+      - "configmaps"
+      - "services"
+    verbs: &everything
+      - "get"
+      - "list"
+      - "create"
+      - "update"
+      - "delete"
+      - "patch"
+      - "watch"
+
+  # Deployments admin
+  - apiGroups:
+      - "apps"
+    resources:
+      - "deployments"
+    verbs: *everything
+
+  # Source resources and statuses we care about.
+  - apiGroups:
+      - "sources.eventing.knative.dev"
+    resources:
+      - "cronjobsources"
+      - "cronjobsources/status"
+      - "cronjobsources/finalizers"
+      - "containersources"
+      - "containersources/status"
+      - "containersources/finalizers"
+      - "apiserversources"
+      - "apiserversources/status"
+      - "apiserversources/finalizers"
+    verbs: *everything
+
+  # Knative Services admin
+  - apiGroups:
+      - serving.knative.dev
+    resources:
+      - services
+    verbs: *everything
+
+  # EventTypes admin
+  - apiGroups:
+      - eventing.knative.dev
+    resources:
+      - eventtypes
+    verbs: *everything
+
+  # Events admin
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs: *everything
diff --git a/config/201-clusterrolebinding.yaml b/config/201-clusterrolebinding.yaml
index e45155a6d7e..141874a0cb8 100644
--- a/config/201-clusterrolebinding.yaml
+++ b/config/201-clusterrolebinding.yaml
@@ -77,3 +77,37 @@ roleRef:
   kind: ClusterRole
   name: knative-eventing-webhook
   apiGroup: rbac.authorization.k8s.io
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: eventing-source-controller
+  labels:
+    eventing.knative.dev/release: devel
+subjects:
+  - kind: ServiceAccount
+    name: eventing-source-controller
+    namespace: knative-eventing
+roleRef:
+  kind: ClusterRole
+  name: knative-eventing-source-controller
+  apiGroup: rbac.authorization.k8s.io
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: eventing-source-controller-resolver
+  labels:
+    eventing.knative.dev/release: devel
+subjects:
+  - kind: ServiceAccount
+    name: eventing-source-controller
+    namespace: knative-eventing
+roleRef:
+  kind: ClusterRole
+  name: addressable-resolver
+  apiGroup: rbac.authorization.k8s.io
diff --git a/config/500-sources-controller.yaml b/config/500-sources-controller.yaml
index e7e3c082e9d..199df627362 100644
--- a/config/500-sources-controller.yaml
+++ b/config/500-sources-controller.yaml
@@ -32,7 +32,7 @@ spec:
         app: sources-controller
         eventing.knative.dev/release: devel
     spec:
-      serviceAccountName: eventing-controller
+      serviceAccountName: eventing-source-controller
       containers:
       - name: controller
         # This is the Go import path for the binary that is containerized