diff --git a/docs/en/enterprise-edition/content-collections/application-security/get-started/connect-code-and-build-providers/ci-cd-runs/add-checkov.adoc b/docs/en/enterprise-edition/content-collections/application-security/get-started/connect-code-and-build-providers/ci-cd-runs/add-checkov.adoc
index 27783ece14..09a9d516a8 100644
--- a/docs/en/enterprise-edition/content-collections/application-security/get-started/connect-code-and-build-providers/ci-cd-runs/add-checkov.adoc
+++ b/docs/en/enterprise-edition/content-collections/application-security/get-started/connect-code-and-build-providers/ci-cd-runs/add-checkov.adoc
@@ -11,9 +11,14 @@ See https://www.checkov.io/2.Basics/Visualizing%20Checkov%20Output.html[Visualiz
 [.procedure]
 
 . Before you begin.
+.. Grant the user installing Checkov either the Developer, AppSec Admin, or System Admin role within Prisma.  If you prefer to use a custom permission group, Checkov requires:
+
+* Policies: Policies - 'View' permissions
+* Application Security: Projects - 'View' permissions
+* Settings: Providers - ('View' and 'Create') OR ('View' and 'Update') permissions
+
 .. xref:../../../../administration/create-access-keys.adoc[Generate and copy the Prisma Cloud access key] to enable access to Prisma Cloud. The access key includes a key ID and secret.
 .. Add the Prisma Cloud IP addresses and hostname for Application Security to an xref:../../../../get-started/console-prerequisites.adoc[allow list] to enable access to the Prisma Cloud Console. 
-.. Grant *Administrator* permissions in the relevant organization to the Prisma user installing Checkov.
 .. Best Practice (*Mandatory* for SCA vulnerability suppression): 
 +
 * Run Checkov within your current working directory (<current_directory_path>). It is recommended to use the absolute file path for your current working directory