diff --git a/api/clusters/v1alpha1/accessrequest_types.go b/api/clusters/v1alpha1/accessrequest_types.go
index 7243547..c822a3c 100644
--- a/api/clusters/v1alpha1/accessrequest_types.go
+++ b/api/clusters/v1alpha1/accessrequest_types.go
@@ -45,6 +45,12 @@ type AccessRequestSpec struct {
 }
 
 type PermissionsRequest struct {
+	// Name is an optional name for the (Cluster)Role that will be created for the requested permissions.
+	// If not set, a randomized name that is unique in the cluster will be generated.
+	// Note that the AccessRequest will not be granted if the to-be-created (Cluster)Role already exists, but is not managed by the AccessRequest, so choose this name carefully.
+	// +optional
+	Name string `json:"name,omitempty"`
+
 	// Namespace is the namespace for which the permissions are requested.
 	// If empty, this will result in a ClusterRole, otherwise in a Role in the respective namespace.
 	// Note that for a Role, the namespace needs to either exist or a permission to create it must be included in the requested permissions (it will be created automatically then), otherwise the request will be rejected.
diff --git a/api/clusters/v1alpha1/constants.go b/api/clusters/v1alpha1/constants.go
index ddde8f1..852cb8a 100644
--- a/api/clusters/v1alpha1/constants.go
+++ b/api/clusters/v1alpha1/constants.go
@@ -84,4 +84,13 @@ const (
 	// SecretKeyCreationTimestamp is the name of the key in the AccessRequest secret that contains the creation timestamp.
 	// This value is optional and must not be set for non-expiring authentication methods.
 	SecretKeyCreationTimestamp = "creationTimestamp"
+	// SecretKeyCAData is the name of the key in the AccessRequest secret that contains the CA data.
+	// This value is optional and must not be set.
+	SecretKeyCAData = "caData"
+	// SecretKeyHost is the name of the key in the AccessRequest secret that contains the host.
+	// This value is optional and must not be set.
+	SecretKeyHost = "host"
+	// SecretKeyClientID is the name of the key in the AccessRequest secret that contains the client ID.
+	// This value is optional and must not be set for non-OIDC-based authentication methods.
+	SecretKeyClientID = "clientID"
 )
diff --git a/api/crds/manifests/clusters.openmcp.cloud_accessrequests.yaml b/api/crds/manifests/clusters.openmcp.cloud_accessrequests.yaml
index fc79718..5683e45 100644
--- a/api/crds/manifests/clusters.openmcp.cloud_accessrequests.yaml
+++ b/api/crds/manifests/clusters.openmcp.cloud_accessrequests.yaml
@@ -214,6 +214,12 @@ spec:
                   For token-based access, the serviceaccount will be bound to the created Roles and ClusterRoles.
                 items:
                   properties:
+                    name:
+                      description: |-
+                        Name is an optional name for the (Cluster)Role that will be created for the requested permissions.
+                        If not set, a randomized name that is unique in the cluster will be generated.
+                        Note that the AccessRequest will not be granted if the to-be-created (Cluster)Role already exists, but is not managed by the AccessRequest, so choose this name carefully.
+                      type: string
                     namespace:
                       description: |-
                         Namespace is the namespace for which the permissions are requested.