docs: clarify Data Sources tab permission requirement for custom roles

products/cloud/guides/security/cloud-access-management/manage-custom-roles.mdx

@@ -55,6 +55,10 @@ Click the `Allow` button and select from Organization, Service, and/or Database
 Ensure users who will log into the console have a minimum of Organization > Access organization permissions.
 </Tip>
 
+<Note>
+**ClickPipes / Data Sources access**: To grant access to the **Data Sources** tab (used for ClickPipes, data lake integrations, and file uploads), the role must include `Manage and Delete Selected Services` in addition to any ClickPipes-specific permissions.
+</Note>
+
 <Image img="/images/cloud/guides/control_plane/manage_custom_roles/5_custom_role.png" size="md"/>
 </Step>
 <Step>

products/cloud/reference/security/console-roles.mdx

@@ -84,3 +84,7 @@ The table below describes the ClickHouse console and SQL console permissions. Mo
 | control-plane:service:manage-clickstack-api | Manage ClickStack API access and related integrations. |
 | **SQL console role mapping** ([more info](/products/cloud/guides/security/cloud-access-management/manage-sql-console-role-assignments)) | Manage SQL console role assignments |
 | sql-console:database:access | Passwordless access to the database via SQL console (may only be used with sql-console-admin or sql-console-readonly) |
+
+<Note>
+**Data Sources tab visibility**: Granting `control-plane:service:manage-clickpipes` alone doesn't make the **Data Sources** tab visible in the console. The Data Sources tab is gated on `control-plane:service:manage` (the "Manage and Delete Selected Services" permission), so custom roles intended to manage ClickPipes must include both permissions.
+</Note>