diff --git a/pkg/services/serviceaccounts/manager/roles.go b/pkg/services/serviceaccounts/manager/roles.go
index ffc4eb4ed53..11f8b23d1cd 100644
--- a/pkg/services/serviceaccounts/manager/roles.go
+++ b/pkg/services/serviceaccounts/manager/roles.go
@@ -8,11 +8,19 @@ import (
 var (
 	role = accesscontrol.RoleRegistration{
 		Role: accesscontrol.RoleDTO{
-			Version:     2,
+			Version:     3,
 			Name:        "fixed:serviceaccounts:writer",
-			Description: "",
+			DisplayName: "Service accounts writer",
+			Description: "Create, delete, read, or query service accounts.",
 			Group:       "Service accounts",
 			Permissions: []accesscontrol.Permission{
+				{
+					Action: serviceaccounts.ActionRead,
+					Scope:  serviceaccounts.ScopeAll,
+				},
+				{
+					Action: serviceaccounts.ActionCreate,
+				},
 				{
 					Action: serviceaccounts.ActionDelete,
 					Scope:  serviceaccounts.ScopeAll,
diff --git a/pkg/services/serviceaccounts/models.go b/pkg/services/serviceaccounts/models.go
index 6a77cd71210..6a5070a2e38 100644
--- a/pkg/services/serviceaccounts/models.go
+++ b/pkg/services/serviceaccounts/models.go
@@ -8,5 +8,8 @@ var (
 )
 
 const (
+	ActionRead   = "serviceaccounts:read"
+	ActionWrite  = "serviceaccounts:write"
+	ActionCreate = "serviceaccounts:create"
 	ActionDelete = "serviceaccounts:delete"
 )