doc(CU-869azd0ae): update meaning of system role

Author: eliecharra

docs/concepts/authorization/rbac-system.md

@@ -208,9 +208,11 @@ Root Space
 
 ## Roles
 
-### Predefined roles
+### System roles
 
-Spacelift provides three predefined roles (corresponding to the legacy system roles):
+System roles provide standard, least-privileged permission policies for granting access to specific pieces of Spacelift functionality. For example, the `Worker pool controller` role contains the correct permissions to allow the Kubernetes controller to manage worker pools automatically.
+
+System roles are immutable and cannot be modified or deleted, ensuring consistent baseline permissions across all accounts.
 
 #### Space reader
 

docs/concepts/spaces/access-control.md

@@ -7,13 +7,14 @@ specific spaces, providing precise control over who can access what resources.
 
 ## Roles and RBAC
 
-### Predefined roles
+### System roles
 
-Spacelift provides three predefined roles that can be assigned to users on a space-by-space basis:
+Spacelift provides following predefined system roles that can be assigned to users on a space-by-space basis:
 
 - **Space Reader** - View-only access to resources within the space, can add comments to runs for collaboration
 - **Space Writer** - Space Reader permissions + ability to trigger runs and modify environment variables
 - **Space Admin** - Space Writer permissions + ability to create and modify stacks and attachable entities
+- **Worker pool controller** - The role required to allow the Kubernetes WorkerPool controller to manage pools automatically. This role should be used when creating an API key for the controller.
 
 These predefined roles correspond to the legacy system roles (Read/Write/Admin) and provide a simple starting point for
 organizations new to RBAC.