diff --git a/assets/config.php b/assets/config.php
index 225a67d5..d810235a 100644
--- a/assets/config.php
+++ b/assets/config.php
@@ -175,16 +175,31 @@ return [
 
         // todo docblock
         'drop_tenant_databases_on_migrate_fresh' => false,
-
-        /**
-         * Scope tenant models using RLS.
-         *
-         * Requires Postgres with single-database tenancy.
-         */
     ],
 
+    /**
+     * Requires Postgres with single-database tenancy.
+     */
     'rls' => [
+        /**
+         * Scope tenant models using RLS.
+         */
         'enabled' => false,
+
+        /**
+         * Permissions to grant to the tenant Postgres users.
+         *
+         * By default, all permissions are granted.
+         *
+         * @see Stancl\Tenancy\Jobs\CreatePostgresUserForTenant
+         */
+        'user_permissions' => ['ALL'],
+
+        /**
+         * Directories in which Tenancy will discover your models.
+         *
+         * @see Stancl\Tenancy\Commands\CreateRLSPoliciesForTenantTables
+         */
         'model_directories' => ['app/Models'],
     ],
 
diff --git a/src/Jobs/CreatePostgresUserForTenant.php b/src/Jobs/CreatePostgresUserForTenant.php
index 8818bed0..f6b22345 100644
--- a/src/Jobs/CreatePostgresUserForTenant.php
+++ b/src/Jobs/CreatePostgresUserForTenant.php
@@ -17,8 +17,6 @@ class CreatePostgresUserForTenant implements ShouldQueue
 {
     use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;
 
-    public static array $permissions = ['ALL'];
-
     /**
      * Create a new job instance.
      *
@@ -59,7 +57,7 @@ class CreatePostgresUserForTenant implements ShouldQueue
             foreach ($tenantModels as $model) {
                 $table = $model->getTable();
 
-                foreach (static::$permissions as $permission) {
+                foreach (config('tenancy.rls.user_permissions') as $permission) {
                     $databaseManager->database()->statement("GRANT {$permission} ON {$table} TO \"{$userName}\"");
                 }
 
diff --git a/tests/PostgresRLSTest.php b/tests/PostgresRLSTest.php
index f5f2f355..0050878b 100644
--- a/tests/PostgresRLSTest.php
+++ b/tests/PostgresRLSTest.php
@@ -31,13 +31,12 @@ beforeEach(function () {
     // Turn RLS scoping on
     config(['tenancy.rls.enabled' => false]);
     config(['tenancy.rls.model_directories' => [__DIR__ . '/Etc']]);
+    config(['tenancy.rls.user_permissions' => ['ALL']]);
     config(['tenancy.bootstrappers' => [PostgresRLSBootstrapper::class]]);
     config(['database.connections.' . $centralConnection => config('database.connections.pgsql')]);
     config(['tenancy.models.tenant_key_column' => 'tenant_id']);
     config(['tenancy.models.tenant' => $tenantClass = Tenant::class]);
 
-    CreatePostgresUserForTenant::$permissions = ['ALL'];
-
     $tenantModel = new $tenantClass;
     $primaryModel = new Post;
     $secondaryModel = new ScopedComment;
@@ -218,14 +217,14 @@ test('queries are correctly scoped using RLS', function() {
 });
 
 test('users created by CreatePostgresUserForTenant are only granted the permissions specified in the static property', function() {
-    CreatePostgresUserForTenant::$permissions = ['INSERT', 'SELECT', 'UPDATE'];
+    config(['tenancy.rls.user_permissions' => ['INSERT', 'SELECT', 'UPDATE']]);
     $tenant = Tenant::create();
     $name = $tenant->getTenantKey();
     CreatePostgresUserForTenant::dispatchSync($tenant);
 
     $grants = array_map(fn (object $grant) => $grant->privilege_type, DB::select("SELECT * FROM information_schema.role_table_grants WHERE grantee = '$name';"));
 
-    expect($grants)->toContain(...CreatePostgresUserForTenant::$permissions)
+    expect($grants)->toContain(...config('tenancy.rls.user_permissions'))
         ->not()->toContain('DELETE');
 });