diff --git a/OMICRON_VERSION b/OMICRON_VERSION
index 542956ae1..ad0d5dd2e 100644
--- a/OMICRON_VERSION
+++ b/OMICRON_VERSION
@@ -1 +1 @@
-9617f40aa6f35b58ffd6b4e92c02ba8e7dd95033
+a6e111cf72ab987b2ea5acd7d26610ea2a55bf0f
diff --git a/app/api/__generated__/Api.ts b/app/api/__generated__/Api.ts
index 1697a6c0a..72bbed88f 100644
--- a/app/api/__generated__/Api.ts
+++ b/app/api/__generated__/Api.ts
@@ -3297,7 +3297,7 @@ export type ProjectResultsPage = {
   nextPage?: string | null
 }
 
-export type ProjectRole = 'admin' | 'collaborator' | 'viewer'
+export type ProjectRole = 'admin' | 'collaborator' | 'limited_collaborator' | 'viewer'
 
 /**
  * Describes the assignment of a particular role on a particular resource to a particular identity (user, group, etc.)
@@ -3738,7 +3738,7 @@ export type SiloResultsPage = {
   nextPage?: string | null
 }
 
-export type SiloRole = 'admin' | 'collaborator' | 'viewer'
+export type SiloRole = 'admin' | 'collaborator' | 'limited_collaborator' | 'viewer'
 
 /**
  * Describes the assignment of a particular role on a particular resource to a particular identity (user, group, etc.)
@@ -10110,7 +10110,7 @@ export class Api extends HttpClient {
       })
     },
     /**
-     * Fetch system release repository description by version
+     * Fetch system release repository by version
      */
     systemUpdateRepositoryView: (
       { path }: { path: SystemUpdateRepositoryViewPathParams },
diff --git a/app/api/__generated__/OMICRON_VERSION b/app/api/__generated__/OMICRON_VERSION
index c5a25f06b..c092490dd 100644
--- a/app/api/__generated__/OMICRON_VERSION
+++ b/app/api/__generated__/OMICRON_VERSION
@@ -1,2 +1,2 @@
 # generated file. do not update manually. see docs/update-pinned-api.md
-9617f40aa6f35b58ffd6b4e92c02ba8e7dd95033
+a6e111cf72ab987b2ea5acd7d26610ea2a55bf0f
diff --git a/app/api/__generated__/validate.ts b/app/api/__generated__/validate.ts
index f7a6949ea..a1af9104e 100644
--- a/app/api/__generated__/validate.ts
+++ b/app/api/__generated__/validate.ts
@@ -3056,7 +3056,7 @@ export const ProjectResultsPage = z.preprocess(
 
 export const ProjectRole = z.preprocess(
   processResponseBody,
-  z.enum(['admin', 'collaborator', 'viewer'])
+  z.enum(['admin', 'collaborator', 'limited_collaborator', 'viewer'])
 )
 
 /**
@@ -3438,7 +3438,7 @@ export const SiloResultsPage = z.preprocess(
 
 export const SiloRole = z.preprocess(
   processResponseBody,
-  z.enum(['admin', 'collaborator', 'viewer'])
+  z.enum(['admin', 'collaborator', 'limited_collaborator', 'viewer'])
 )
 
 /**
diff --git a/app/api/roles.spec.ts b/app/api/roles.spec.ts
index 81b6418f4..e8b44c638 100644
--- a/app/api/roles.spec.ts
+++ b/app/api/roles.spec.ts
@@ -157,5 +157,5 @@ test('byGroupThenName sorts as expected', () => {
 })
 
 test('allRoles', () => {
-  expect(allRoles).toEqual(['admin', 'collaborator', 'viewer'])
+  expect(allRoles).toEqual(['admin', 'collaborator', 'limited_collaborator', 'viewer'])
 })
diff --git a/app/api/roles.ts b/app/api/roles.ts
index e5c912538..8c7467dcd 100644
--- a/app/api/roles.ts
+++ b/app/api/roles.ts
@@ -33,7 +33,8 @@ const flatRoles = (roleOrder: Record<RoleKey, number>): RoleKey[] =>
 export const roleOrder: Record<RoleKey, number> = {
   collaborator: 1,
   admin: 0,
-  viewer: 2,
+  viewer: 3,
+  limited_collaborator: 2,
 }
 
 /** `roleOrder` record converted to a sorted array of roles. */
diff --git a/app/components/form/fields/RadioField.tsx b/app/components/form/fields/RadioField.tsx
index 2d0813950..9319b4996 100644
--- a/app/components/form/fields/RadioField.tsx
+++ b/app/components/form/fields/RadioField.tsx
@@ -16,9 +16,11 @@ import {
 } from 'react-hook-form'
 
 import { FieldLabel } from '~/ui/lib/FieldLabel'
-import { Radio, type RadioProps } from '~/ui/lib/Radio'
+import { Radio, RadioCard, type RadioProps } from '~/ui/lib/Radio'
 import { RadioGroup, type RadioGroupProps } from '~/ui/lib/RadioGroup'
 import { TextInputHint } from '~/ui/lib/TextInput'
+import { isOneOf } from '~/util/children'
+import { invariant } from '~/util/invariant'
 import { capitalize } from '~/util/str'
 
 export type RadioFieldProps<
@@ -99,11 +101,23 @@ export function RadioField<
 
 type RadioElt = React.ReactElement<RadioProps>
 
+// we do not extend RadioFieldProps here because it limits our ability to type
+// components like RoleRadioField. see https://tsplay.dev/ND13Om
+
 export type RadioFieldDynProps<
   TFieldValues extends FieldValues,
   TName extends FieldPath<TFieldValues>,
-> = Omit<RadioFieldProps<TFieldValues, TName>, 'parseValue' | 'items'> & {
+> = {
+  name: TName
+  label?: string
+  description?: string | React.ReactNode
+  units?: string
+  control: Control<TFieldValues>
   children: RadioElt | RadioElt[]
+  column?: boolean
+  className?: string
+  required?: boolean
+  disabled?: boolean
 }
 
 /**
@@ -117,7 +131,7 @@ export function RadioFieldDyn<
   TName extends FieldPath<TFieldValues>,
 >({
   name,
-  label = capitalize(name),
+  label,
   description,
   units,
   control,
@@ -126,9 +140,13 @@ export function RadioFieldDyn<
 }: RadioFieldDynProps<TFieldValues, TName>) {
   const id = useId()
   const { field } = useController({ name, control })
+  invariant(
+    isOneOf(children, [Radio, RadioCard]),
+    'Children of RadioFieldDyn must be Radio or RadioCard'
+  )
   return (
     <div>
-      <div className="mb-2">
+      <div className="mb-3">
         {label && (
           <FieldLabel id={`${id}-label`}>
             {label} {units && <span className="text-default ml-1">({units})</span>}
diff --git a/app/forms/access-util.tsx b/app/forms/access-util.tsx
index cff6f0ee3..e30aa4478 100644
--- a/app/forms/access-util.tsx
+++ b/app/forms/access-util.tsx
@@ -5,6 +5,9 @@
  *
  * Copyright Oxide Computer Company
  */
+import type { Control, FieldPath, FieldValues } from 'react-hook-form'
+import * as R from 'remeda'
+
 import {
   allRoles,
   type Actor,
@@ -14,20 +17,38 @@ import {
 } from '@oxide/api'
 import { Badge } from '@oxide/design-system/ui'
 
+import { RadioFieldDyn } from '~/components/form/fields/RadioField'
 import { type ListboxItem } from '~/ui/lib/Listbox'
+import { Message } from '~/ui/lib/Message'
+import { Radio } from '~/ui/lib/Radio'
+import { links } from '~/util/links'
 import { capitalize } from '~/util/str'
 
 type AddUserValues = {
   identityId: string
-  roleName: RoleKey | ''
+  roleName: RoleKey
 }
 
 export const defaultValues: AddUserValues = {
   identityId: '',
-  roleName: '',
+  roleName: 'viewer',
+}
+
+// Role descriptions for project-level roles
+const projectRoleDescriptions: Record<RoleKey, string> = {
+  admin: 'Control all aspects of the project',
+  collaborator: 'Manage all project resources, including networking',
+  limited_collaborator: 'Manage project resources except networking configuration',
+  viewer: 'View resources within the project',
 }
 
-export const roleItems = allRoles.map((role) => ({ value: role, label: capitalize(role) }))
+// Role descriptions for silo-level roles
+const siloRoleDescriptions: Record<RoleKey, string> = {
+  admin: 'Control all aspects of the silo',
+  collaborator: 'Create and administer projects',
+  limited_collaborator: 'Manage project resources except networking configuration',
+  viewer: 'View resources within the silo',
+}
 
 export const actorToItem = (actor: Actor): ListboxItem => ({
   value: actor.id,
@@ -55,3 +76,62 @@ export type EditRoleModalProps = AddRoleModalProps & {
   identityType: IdentityType
   defaultValues: { roleName: RoleKey }
 }
+
+const AccessDocs = () => (
+  <a href={links.accessDocs} target="_blank" rel="noreferrer">
+    Access Control
+  </a>
+)
+export function RoleRadioField<
+  TFieldValues extends FieldValues,
+  TName extends FieldPath<TFieldValues>,
+>({
+  name,
+  control,
+  scope,
+}: {
+  name: TName
+  control: Control<TFieldValues>
+  scope: 'Silo' | 'Project'
+}) {
+  const roleDescriptions = scope === 'Silo' ? siloRoleDescriptions : projectRoleDescriptions
+  return (
+    <>
+      <RadioFieldDyn
+        name={name}
+        label={`${scope} role`}
+        required
+        control={control}
+        column
+        className="mt-2"
+      >
+        {R.reverse(allRoles).map((role) => (
+          <Radio name="roleName" key={role} value={role} alignTop>
+            <div className="text-sans-md text-raise">
+              {capitalize(role).replace('_', ' ')}
+            </div>
+            <div className="text-sans-sm text-secondary">{roleDescriptions[role]}</div>
+          </Radio>
+        ))}
+      </RadioFieldDyn>
+      <Message
+        variant="info"
+        content={
+          scope === 'Silo' ? (
+            <>
+              Silo roles are inherited by all projects in the silo and override weaker
+              roles. For example, a silo viewer is <em>at least</em> a viewer on all
+              projects in the silo. Learn more in the <AccessDocs /> guide.
+            </>
+          ) : (
+            <>
+              Project roles can be overridden by a stronger role on the silo. For example, a
+              silo viewer is <em>at least</em> a viewer on all projects in the silo. Learn
+              more in the <AccessDocs /> guide.
+            </>
+          )
+        }
+      />
+    </>
+  )
+}
diff --git a/app/forms/instance-create.tsx b/app/forms/instance-create.tsx
index 41827bf95..28dc4552d 100644
--- a/app/forms/instance-create.tsx
+++ b/app/forms/instance-create.tsx
@@ -394,34 +394,19 @@ export default function CreateInstanceForm() {
             </Tabs.Trigger>
           </Tabs.List>
           <Tabs.Content value="general">
-            <RadioFieldDyn
-              name="presetId"
-              label=""
-              control={control}
-              disabled={isSubmitting}
-            >
+            <RadioFieldDyn name="presetId" control={control} disabled={isSubmitting}>
               {renderLargeRadioCards('general')}
             </RadioFieldDyn>
           </Tabs.Content>
 
           <Tabs.Content value="highCPU">
-            <RadioFieldDyn
-              name="presetId"
-              label=""
-              control={control}
-              disabled={isSubmitting}
-            >
+            <RadioFieldDyn name="presetId" control={control} disabled={isSubmitting}>
               {renderLargeRadioCards('highCPU')}
             </RadioFieldDyn>
           </Tabs.Content>
 
           <Tabs.Content value="highMemory">
-            <RadioFieldDyn
-              name="presetId"
-              label=""
-              control={control}
-              disabled={isSubmitting}
-            >
+            <RadioFieldDyn name="presetId" control={control} disabled={isSubmitting}>
               {renderLargeRadioCards('highMemory')}
             </RadioFieldDyn>
           </Tabs.Content>
diff --git a/app/forms/project-access.tsx b/app/forms/project-access.tsx
index ae9551cd3..9addcd85a 100644
--- a/app/forms/project-access.tsx
+++ b/app/forms/project-access.tsx
@@ -13,16 +13,18 @@ import {
   useApiMutation,
   useApiQueryClient,
 } from '@oxide/api'
+import { Access16Icon } from '@oxide/design-system/icons/react'
 
 import { ListboxField } from '~/components/form/fields/ListboxField'
 import { SideModalForm } from '~/components/form/SideModalForm'
 import { useProjectSelector } from '~/hooks/use-params'
 import { addToast } from '~/stores/toast'
+import { ResourceLabel } from '~/ui/lib/SideModal'
 
 import {
   actorToItem,
   defaultValues,
-  roleItems,
+  RoleRadioField,
   type AddRoleModalProps,
   type EditRoleModalProps,
 } from './access-util'
@@ -50,11 +52,8 @@ export function ProjectAccessAddUserSideModal({ onDismiss, policy }: AddRoleModa
       resourceName="role"
       form={form}
       formType="create"
+      submitLabel="Assign role"
       onSubmit={({ identityId, roleName }) => {
-        // can't happen because roleName is validated not to be '', but TS
-        // wants to be sure
-        if (roleName === '') return
-
         // actor is guaranteed to be in the list because it came from there
         const identityType = actors.find((a) => a.id === identityId)!.identityType
 
@@ -65,7 +64,6 @@ export function ProjectAccessAddUserSideModal({ onDismiss, policy }: AddRoleModa
       }}
       loading={updatePolicy.isPending}
       submitError={updatePolicy.error}
-      submitLabel="Assign role"
       onDismiss={onDismiss}
     >
       <ListboxField
@@ -75,13 +73,7 @@ export function ProjectAccessAddUserSideModal({ onDismiss, policy }: AddRoleModa
         required
         control={form.control}
       />
-      <ListboxField
-        name="roleName"
-        label="Role"
-        items={roleItems}
-        required
-        control={form.control}
-      />
+      <RoleRadioField name="roleName" control={form.control} scope="Project" />
     </SideModalForm>
   )
 }
@@ -109,11 +101,15 @@ export function ProjectAccessEditUserSideModal({
 
   return (
     <SideModalForm
-      // TODO: show user name in header or SOMEWHERE
       form={form}
       formType="edit"
       resourceName="role"
-      title={`Change project role for ${name}`}
+      title="Edit role"
+      subtitle={
+        <ResourceLabel>
+          <Access16Icon /> {name}
+        </ResourceLabel>
+      }
       onSubmit={({ roleName }) => {
         updatePolicy.mutate({
           path: { project },
@@ -124,13 +120,7 @@ export function ProjectAccessEditUserSideModal({
       submitError={updatePolicy.error}
       onDismiss={onDismiss}
     >
-      <ListboxField
-        name="roleName"
-        label="Role"
-        items={roleItems}
-        required
-        control={form.control}
-      />
+      <RoleRadioField name="roleName" control={form.control} scope="Project" />
     </SideModalForm>
   )
 }
diff --git a/app/forms/silo-access.tsx b/app/forms/silo-access.tsx
index 6eb2e2f70..e816a3095 100644
--- a/app/forms/silo-access.tsx
+++ b/app/forms/silo-access.tsx
@@ -13,14 +13,16 @@ import {
   useApiMutation,
   useApiQueryClient,
 } from '@oxide/api'
+import { Access16Icon } from '@oxide/design-system/icons/react'
 
 import { ListboxField } from '~/components/form/fields/ListboxField'
 import { SideModalForm } from '~/components/form/SideModalForm'
+import { ResourceLabel } from '~/ui/lib/SideModal'
 
 import {
   actorToItem,
   defaultValues,
-  roleItems,
+  RoleRadioField,
   type AddRoleModalProps,
   type EditRoleModalProps,
 } from './access-util'
@@ -44,12 +46,9 @@ export function SiloAccessAddUserSideModal({ onDismiss, policy }: AddRoleModalPr
       formType="create"
       resourceName="role"
       title="Add user or group"
+      submitLabel="Assign role"
       onDismiss={onDismiss}
       onSubmit={({ identityId, roleName }) => {
-        // can't happen because roleName is validated not to be '', but TS
-        // wants to be sure
-        if (roleName === '') return
-
         // TODO: DRY logic
         // actor is guaranteed to be in the list because it came from there
         const identityType = actors.find((a) => a.id === identityId)!.identityType
@@ -60,7 +59,6 @@ export function SiloAccessAddUserSideModal({ onDismiss, policy }: AddRoleModalPr
       }}
       loading={updatePolicy.isPending}
       submitError={updatePolicy.error}
-      submitLabel="Assign role"
     >
       <ListboxField
         name="identityId"
@@ -69,13 +67,7 @@ export function SiloAccessAddUserSideModal({ onDismiss, policy }: AddRoleModalPr
         required
         control={form.control}
       />
-      <ListboxField
-        name="roleName"
-        label="Role"
-        items={roleItems}
-        required
-        control={form.control}
-      />
+      <RoleRadioField name="roleName" control={form.control} scope="Silo" />
     </SideModalForm>
   )
 }
@@ -99,11 +91,15 @@ export function SiloAccessEditUserSideModal({
 
   return (
     <SideModalForm
-      // TODO: show user name in header or SOMEWHERE
       form={form}
       formType="edit"
       resourceName="role"
-      title={`Change silo role for ${name}`}
+      title="Edit role"
+      subtitle={
+        <ResourceLabel>
+          <Access16Icon /> {name}
+        </ResourceLabel>
+      }
       onSubmit={({ roleName }) => {
         updatePolicy.mutate({
           body: updateRole({ identityId, identityType, roleName }, policy),
@@ -113,13 +109,7 @@ export function SiloAccessEditUserSideModal({
       submitError={updatePolicy.error}
       onDismiss={onDismiss}
     >
-      <ListboxField
-        name="roleName"
-        label="Role"
-        items={roleItems}
-        required
-        control={form.control}
-      />
+      <RoleRadioField name="roleName" control={form.control} scope="Silo" />
     </SideModalForm>
   )
 }
diff --git a/app/ui/lib/Radio.tsx b/app/ui/lib/Radio.tsx
index 646c8a364..c674eec14 100644
--- a/app/ui/lib/Radio.tsx
+++ b/app/ui/lib/Radio.tsx
@@ -17,7 +17,10 @@ import cn from 'classnames'
 import type { ComponentProps } from 'react'
 
 // input type is fixed to "radio"
-export type RadioProps = Omit<React.ComponentProps<'input'>, 'type'>
+export type RadioProps = Omit<React.ComponentProps<'input'>, 'type'> & {
+  /** Align radio button with top of content instead of center (useful for multi-line content) */
+  alignTop?: boolean
+}
 
 const fieldStyles = `
   peer appearance-none absolute outline-hidden
@@ -26,9 +29,9 @@ const fieldStyles = `
   disabled:hover:bg-transparent
 `
 
-export const Radio = ({ children, className, ...inputProps }: RadioProps) => (
-  <label className="inline-flex items-center">
-    <span className="relative h-4 w-4">
+export const Radio = ({ children, className, alignTop, ...inputProps }: RadioProps) => (
+  <label className={cn('inline-flex', alignTop ? 'items-start' : 'items-center')}>
+    <span className="relative h-4 w-4 shrink-0">
       <input className={cn(fieldStyles, className)} type="radio" {...inputProps} />
       {/* the dot in the middle. hide by default, use peer-checked to show if checked */}
       <div className="bg-accent pointer-events-none absolute top-1 left-1 hidden h-2 w-2 rounded-full peer-checked:block" />
diff --git a/app/util/access.ts b/app/util/access.ts
index e70ec007c..0e7b374cd 100644
--- a/app/util/access.ts
+++ b/app/util/access.ts
@@ -18,5 +18,6 @@ export const identityTypeLabel: Record<IdentityType, string> = {
 export const roleColor: Record<RoleKey, BadgeColor> = {
   admin: 'default',
   collaborator: 'purple',
+  limited_collaborator: 'purple',
   viewer: 'blue',
 }
diff --git a/mock-api/msw/handlers.ts b/mock-api/msw/handlers.ts
index 0a2c996ec..b6995b6f2 100644
--- a/mock-api/msw/handlers.ts
+++ b/mock-api/msw/handlers.ts
@@ -22,6 +22,7 @@ import {
   type AffinityGroupMember,
   type AntiAffinityGroupMember,
   type ApiTypes as Api,
+  type FleetRole,
   type InstanceDiskAttachment,
   type SamlIdentityProvider,
 } from '@oxide/api'
@@ -1154,8 +1155,9 @@ export const handlers = makeHandlers({
     const vpcs = db.vpcs.filter((v) => v.project_id === project.id)
     return paginated(query, vpcs)
   },
-  vpcCreate({ body, query }) {
+  vpcCreate({ body, query, cookies }) {
     const project = lookup.project(query)
+    requireRole(cookies, 'project', project.id, 'collaborator')
     errIfExists(db.vpcs, { name: body.name, project_id: project.id })
 
     const newVpc: Json<Api.Vpc> = {
@@ -1626,9 +1628,15 @@ export const handlers = makeHandlers({
   systemPolicyView({ cookies }) {
     requireFleetViewer(cookies)
 
+    const fleetRoles: FleetRole[] = ['admin', 'collaborator', 'viewer']
     const role_assignments = db.roleAssignments
       .filter((r) => r.resource_type === 'fleet' && r.resource_id === FLEET_ID)
-      .map((r) => R.pick(r, ['identity_id', 'identity_type', 'role_name']))
+      .filter((r) => fleetRoles.includes(r.role_name as FleetRole))
+      .map((r) => ({
+        identity_id: r.identity_id,
+        identity_type: r.identity_type,
+        role_name: r.role_name as FleetRole,
+      }))
 
     return { role_assignments }
   },
diff --git a/mock-api/msw/util.spec.ts b/mock-api/msw/util.spec.ts
index 022f1279c..a9c05d202 100644
--- a/mock-api/msw/util.spec.ts
+++ b/mock-api/msw/util.spec.ts
@@ -81,6 +81,7 @@ describe('userHasRole', () => {
       ['Jacob Klein', false],
       ['Simone de Beauvoir', false],
       ['Jane Austen', true],
+      ['Herbert Marcuse', false],
     ])
   })
 
@@ -93,6 +94,7 @@ describe('userHasRole', () => {
       ['Jacob Klein', false],
       ['Simone de Beauvoir', false],
       ['Jane Austen', false],
+      ['Herbert Marcuse', false],
     ])
   })
 
@@ -105,6 +107,23 @@ describe('userHasRole', () => {
       ['Jacob Klein', false],
       ['Simone de Beauvoir', false],
       ['Jane Austen', true],
+      ['Herbert Marcuse', false],
+    ])
+  })
+
+  it('silo limited_collaborator', () => {
+    expect(
+      users.map((u) => [
+        u.display_name,
+        userHasRole(u, 'silo', defaultSilo.id, 'limited_collaborator'),
+      ])
+    ).toEqual([
+      ['Hannah Arendt', true],
+      ['Hans Jonas', true],
+      ['Jacob Klein', false],
+      ['Simone de Beauvoir', false],
+      ['Jane Austen', true],
+      ['Herbert Marcuse', false],
     ])
   })
 
@@ -120,6 +139,7 @@ describe('userHasRole', () => {
       ['Jacob Klein', false],
       ['Simone de Beauvoir', false],
       ['Jane Austen', true],
+      ['Herbert Marcuse', false],
     ])
   })
 
@@ -132,6 +152,7 @@ describe('userHasRole', () => {
       ['Jacob Klein', false],
       ['Simone de Beauvoir', false],
       ['Jane Austen', false],
+      ['Herbert Marcuse', false],
     ])
   })
 })
diff --git a/mock-api/msw/util.ts b/mock-api/msw/util.ts
index 741d99733..bd3aad2ec 100644
--- a/mock-api/msw/util.ts
+++ b/mock-api/msw/util.ts
@@ -304,17 +304,17 @@ export function currentUser(cookies: Record<string, string>): Json<User> {
 // could implement with `takeUntil(allRoles, r => r === role)`, but that is so
 // much harder to understand
 const roleOrStronger: Record<RoleKey, RoleKey[]> = {
-  viewer: ['viewer', 'collaborator', 'admin'],
+  viewer: ['viewer', 'limited_collaborator', 'collaborator', 'admin'],
+  limited_collaborator: ['limited_collaborator', 'collaborator', 'admin'],
   collaborator: ['collaborator', 'admin'],
   admin: ['admin'],
 }
 
 /**
  * Determine whether a user has a role at least as strong as `role` on the
- * specified resource. Note that this does not yet do parent-child inheritance
- * like Nexus does, i.e., if a user has collaborator on a silo, then it inherits
- * collaborator on all projects in the silo even if it has no explicit role on
- * those projects. This does NOT do that.
+ * specified resource. Implements parent-child inheritance like Nexus does:
+ * if a user has a role on a silo, they inherit that role on all projects
+ * in the silo.
  */
 export function userHasRole(
   user: Json<User>,
@@ -328,6 +328,8 @@ export function userHasRole(
     .filter((g) => !!g)
     .map((g) => g.id)
 
+  const actorIds = [user.id, ...userGroupIds]
+
   /** All actors with *at least* the specified role on the resource */
   const actorsWithRole = db.roleAssignments
     .filter(
@@ -338,8 +340,47 @@ export function userHasRole(
     )
     .map((ra) => ra.identity_id)
 
-  // user has role if their own ID or any of their groups is associated with the role
-  return [user.id, ...userGroupIds].some((id) => actorsWithRole.includes(id))
+  // Direct role on the resource
+  if (actorIds.some((id) => actorsWithRole.includes(id))) {
+    return true
+  }
+
+  // Check for inherited roles: if checking project role, also check parent silo roles
+  // Silo role inheritance to project roles:
+  // - silo admin → project admin
+  // - silo collaborator → project admin (note collaborator → admin)
+  // - silo limited_collaborator → project limited_collaborator
+  // - silo viewer → project viewer
+  if (resourceType === 'project') {
+    const project = db.projects.find((p) => p.id === resourceId)
+    if (!project) return false
+
+    // Map requested project role to silo roles that confer authority
+    const siloRolesForProjectRole: Record<RoleKey, RoleKey[]> = {
+      admin: ['admin', 'collaborator'], // silo collaborator grants project admin
+      collaborator: ['admin', 'collaborator'],
+      limited_collaborator: ['admin', 'collaborator', 'limited_collaborator'],
+      viewer: ['admin', 'collaborator', 'limited_collaborator', 'viewer'],
+    }
+
+    const requiredSiloRoles = siloRolesForProjectRole[role] || []
+
+    // Check if user has any silo role that grants the requested project role
+    const siloActorsWithRole = db.roleAssignments
+      .filter(
+        (ra) =>
+          ra.resource_type === 'silo' &&
+          ra.resource_id === user.silo_id &&
+          requiredSiloRoles.includes(ra.role_name)
+      )
+      .map((ra) => ra.identity_id)
+
+    if (actorIds.some((id) => siloActorsWithRole.includes(id))) {
+      return true
+    }
+  }
+
+  return false
 }
 
 /**
diff --git a/mock-api/role-assignment.ts b/mock-api/role-assignment.ts
index 3fcf4c4e7..a19fc2c7e 100644
--- a/mock-api/role-assignment.ts
+++ b/mock-api/role-assignment.ts
@@ -9,7 +9,7 @@ import { FLEET_ID, type IdentityType, type RoleKey } from '@oxide/api'
 
 import { project } from './project'
 import { defaultSilo } from './silo'
-import { user1, user3, user5 } from './user'
+import { user1, user3, user5, user6 } from './user'
 import { userGroup2, userGroup3 } from './user-group'
 
 // For most other resources, we can store the API types directly in the DB. But
@@ -72,4 +72,11 @@ export const roleAssignments: DbRoleAssignment[] = [
     identity_type: 'silo_group',
     role_name: 'viewer',
   },
+  {
+    resource_type: 'project',
+    resource_id: project.id,
+    identity_id: user6.id, // Herbert Marcuse
+    identity_type: 'silo_user',
+    role_name: 'limited_collaborator',
+  },
 ]
diff --git a/mock-api/user.ts b/mock-api/user.ts
index 56ec885f6..04433a596 100644
--- a/mock-api/user.ts
+++ b/mock-api/user.ts
@@ -40,4 +40,10 @@ export const user5: Json<User> = {
   silo_id: defaultSilo.id,
 }
 
-export const users = [user1, user2, user3, user4, user5]
+export const user6: Json<User> = {
+  id: 'f8c2b4d3-6e7a-4b9c-8d1e-3a4f5b6c7d8e',
+  display_name: 'Herbert Marcuse',
+  silo_id: defaultSilo.id,
+}
+
+export const users = [user1, user2, user3, user4, user5, user6]
diff --git a/test/e2e/project-access.e2e.ts b/test/e2e/project-access.e2e.ts
index 474cea46d..d4f34d8ce 100644
--- a/test/e2e/project-access.e2e.ts
+++ b/test/e2e/project-access.e2e.ts
@@ -13,7 +13,7 @@ test('Click through project access page', async ({ page }) => {
   await page.goto('/projects/mock-project')
   await page.click('role=link[name*="Access"]')
 
-  // page is there, we see user 1 and 3 but not 2 or 4
+  // we see groups and users 1, 3, 6 but not users 2, 4, 5
   await expectVisible(page, ['role=heading[name*="Access"]'])
   const table = page.locator('table')
   await expectRowVisible(table, {
@@ -26,6 +26,11 @@ test('Click through project access page', async ({ page }) => {
     Type: 'User',
     Role: 'project.collaborator',
   })
+  await expectRowVisible(table, {
+    Name: 'Herbert Marcuse',
+    Type: 'User',
+    Role: 'project.limited_collaborator',
+  })
   await expectRowVisible(table, {
     Name: 'real-estate-devs',
     Type: 'Group',
@@ -48,7 +53,10 @@ test('Click through project access page', async ({ page }) => {
 
   await page.click('role=button[name*="User or group"]')
   // only users not already on the project should be visible
-  await expectNotVisible(page, ['role=option[name="Jacob Klein"]'])
+  await expectNotVisible(page, [
+    'role=option[name="Jacob Klein"]',
+    'role=option[name="Herbert Marcuse"]',
+  ])
 
   await expectVisible(page, [
     'role=option[name="Hannah Arendt"]',
@@ -57,15 +65,7 @@ test('Click through project access page', async ({ page }) => {
   ])
 
   await page.click('role=option[name="Simone de Beauvoir"]')
-
-  await page.click('role=button[name*="Role"]')
-  await expectVisible(page, [
-    'role=option[name="Admin"]',
-    'role=option[name="Collaborator"]',
-    'role=option[name="Viewer"]',
-  ])
-
-  await page.click('role=option[name="Collaborator"]')
+  await page.getByRole('radio', { name: /^Collaborator / }).click()
   await page.click('role=button[name="Assign role"]')
 
   // User 4 shows up in the table
@@ -82,13 +82,13 @@ test('Click through project access page', async ({ page }) => {
     .click()
   await page.click('role=menuitem[name="Change role"]')
 
-  await expectVisible(page, [
-    'role=heading[name*="Change project role for Simone de Beauvoir"]',
-  ])
-  await expectVisible(page, ['button:has-text("Collaborator")'])
+  await expectVisible(page, ['role=heading[name*="Edit role"]'])
+
+  // Verify Collaborator is currently selected
+  await expect(page.getByRole('radio', { name: /^Collaborator / })).toBeChecked()
 
-  await page.click('role=button[name*="Role"]')
-  await page.click('role=option[name="Viewer"]')
+  // Select Viewer role
+  await page.getByRole('radio', { name: /^Viewer / }).click()
   await page.click('role=button[name="Update role"]')
 
   await expectRowVisible(table, { Name: user4.display_name, Role: 'project.viewer' })
@@ -106,8 +106,8 @@ test('Click through project access page', async ({ page }) => {
   await page.click('role=button[name="Add user or group"]')
   await page.click('role=button[name*="User or group"]')
   await page.click('role=option[name="Hannah Arendt"]')
-  await page.click('role=button[name*="Role"]')
-  await page.click('role=option[name="Viewer"]')
+  // Select Viewer role
+  await page.getByRole('radio', { name: /^Viewer / }).click()
   await page.click('role=button[name="Assign role"]')
   // because we only show the "effective" role, we should still see the silo admin role, but should now have an additional count value
   await expectRowVisible(table, {
diff --git a/test/e2e/silo-access.e2e.ts b/test/e2e/silo-access.e2e.ts
index 515bb5acf..720ef8ba1 100644
--- a/test/e2e/silo-access.e2e.ts
+++ b/test/e2e/silo-access.e2e.ts
@@ -14,7 +14,7 @@ test('Click through silo access page', async ({ page }) => {
 
   const table = page.locator('role=table')
 
-  // page is there, we see user 1 and 2 but not 3
+  // page is there; we see user 1 and 2 but not 3
   await page.click('role=link[name*="Access"]')
 
   await expectVisible(page, ['role=heading[name*="Access"]'])
@@ -44,15 +44,7 @@ test('Click through silo access page', async ({ page }) => {
   ])
 
   await page.click('role=option[name="Jacob Klein"]')
-
-  await page.click('role=button[name*="Role"]')
-  await expectVisible(page, [
-    'role=option[name="Admin"]',
-    'role=option[name="Collaborator"]',
-    'role=option[name="Viewer"]',
-  ])
-
-  await page.click('role=option[name="Collaborator"]')
+  await page.getByRole('radio', { name: /^Collaborator / }).click()
   await page.click('role=button[name="Assign role"]')
 
   // User 3 shows up in the table
@@ -69,11 +61,13 @@ test('Click through silo access page', async ({ page }) => {
     .click()
   await page.click('role=menuitem[name="Change role"]')
 
-  await expectVisible(page, ['role=heading[name*="Change silo role for Jacob Klein"]'])
-  await expectVisible(page, ['button:has-text("Collaborator")'])
+  await expectVisible(page, ['role=heading[name*="Edit role"]'])
+
+  // Verify Collaborator is currently selected
+  await expect(page.getByRole('radio', { name: /^Collaborator / })).toBeChecked()
 
-  await page.click('role=button[name*="Role"]')
-  await page.click('role=option[name="Viewer"]')
+  // Select Viewer role
+  await page.getByRole('radio', { name: /^Viewer / }).click()
   await page.click('role=button[name="Update role"]')
 
   await expectRowVisible(table, { Name: user3.display_name, Role: 'silo.viewer' })
diff --git a/test/e2e/utils.ts b/test/e2e/utils.ts
index b9a27bb2e..f549562bc 100644
--- a/test/e2e/utils.ts
+++ b/test/e2e/utils.ts
@@ -191,7 +191,12 @@ export async function selectOption(
 
 export async function getPageAsUser(
   browser: Browser,
-  user: 'Hans Jonas' | 'Simone de Beauvoir' | 'Jacob Klein' | 'Jane Austen'
+  user:
+    | 'Hans Jonas'
+    | 'Simone de Beauvoir'
+    | 'Jacob Klein'
+    | 'Jane Austen'
+    | 'Herbert Marcuse'
 ): Promise<Page> {
   const browserContext = await browser.newContext()
   await browserContext.addCookies([
diff --git a/test/e2e/vpcs.e2e.ts b/test/e2e/vpcs.e2e.ts
index fc8aff4c6..6efb700cb 100644
--- a/test/e2e/vpcs.e2e.ts
+++ b/test/e2e/vpcs.e2e.ts
@@ -7,7 +7,7 @@
  */
 import { expect, test } from '@playwright/test'
 
-import { clickRowAction, expectRowVisible, selectOption } from './utils'
+import { clickRowAction, expectRowVisible, getPageAsUser, selectOption } from './utils'
 
 test('can nav to VpcPage from /', async ({ page }) => {
   await page.goto('/')
@@ -414,3 +414,79 @@ test('internet gateway shows proper list of routes targeting it', async ({ page
     '/projects/mock-project/vpcs/mock-vpc/routers/mock-custom-router'
   )
 })
+
+test('collaborator can create VPC', async ({ browser }) => {
+  const page = await getPageAsUser(browser, 'Jacob Klein')
+  await page.goto('/projects/mock-project/vpcs')
+
+  const table = page.getByRole('table')
+
+  // Create a new VPC
+  await page.getByRole('link', { name: 'New Vpc' }).click()
+  await page.getByRole('textbox', { name: 'Name', exact: true }).fill('collab-test-vpc')
+  await page.getByRole('textbox', { name: 'DNS name' }).fill('collab-test-vpc')
+  await page.getByRole('button', { name: 'Create VPC' }).click()
+
+  // Should succeed and navigate to the VPC detail page
+  await expect(page.getByRole('heading', { name: 'collab-test-vpc' })).toBeVisible()
+  await expect(page.getByRole('tab', { name: 'Firewall Rules' })).toBeVisible()
+
+  // Navigate back to VPCs list to verify it was created
+  const breadcrumbs = page.getByRole('navigation', { name: 'Breadcrumbs' })
+  await breadcrumbs.getByRole('link', { name: 'VPCs' }).click()
+
+  await expectRowVisible(table, {
+    name: 'collab-test-vpc',
+    'DNS name': 'collab-test-vpc',
+  })
+})
+
+test('user in group with silo collaborator role can create VPC', async ({ browser }) => {
+  // Hans Jonas is in real-estate-devs group, which has silo.collaborator role
+  // Silo collaborator grants project admin, so he should be able to create VPCs
+  const page = await getPageAsUser(browser, 'Hans Jonas')
+  await page.goto('/projects/mock-project/vpcs')
+
+  const table = page.getByRole('table')
+
+  // Create a new VPC
+  await page.getByRole('link', { name: 'New Vpc' }).click()
+  await page.getByRole('textbox', { name: 'Name', exact: true }).fill('group-test-vpc')
+  await page.getByRole('textbox', { name: 'DNS name' }).fill('group-test-vpc')
+  await page.getByRole('button', { name: 'Create VPC' }).click()
+
+  // Should succeed and navigate to the VPC detail page
+  await expect(page.getByRole('heading', { name: 'group-test-vpc' })).toBeVisible()
+  await expect(page.getByRole('tab', { name: 'Firewall Rules' })).toBeVisible()
+
+  // Navigate back to VPCs list to verify it was created
+  const breadcrumbs = page.getByRole('navigation', { name: 'Breadcrumbs' })
+  await breadcrumbs.getByRole('link', { name: 'VPCs' }).click()
+
+  await expectRowVisible(table, {
+    name: 'group-test-vpc',
+    'DNS name': 'group-test-vpc',
+  })
+})
+
+test('limited collaborator cannot create VPC', async ({ browser }) => {
+  const page = await getPageAsUser(browser, 'Herbert Marcuse')
+  await page.goto('/projects/mock-project/vpcs')
+
+  // Try to create a new VPC
+  await page.getByRole('link', { name: 'New Vpc' }).click()
+  await page.getByRole('textbox', { name: 'Name', exact: true }).fill('limited-test-vpc')
+  await page.getByRole('textbox', { name: 'DNS name' }).fill('limited-test-vpc')
+  await page.getByRole('button', { name: 'Create VPC' }).click()
+
+  // Expect the action to fail; Limited Collaborator role does not allow VPC creation
+  await expect(page.getByText('Action not authorized')).toBeVisible()
+
+  // Close the modal
+  await page.getByRole('button', { name: 'Close' }).click()
+  await page.getByRole('button', { name: 'Leave form' }).click()
+
+  // Verify we're still on the VPCs list page and the VPC was not created
+  await expect(page.getByRole('heading', { name: 'VPCs' })).toBeVisible()
+  await expect(page.getByRole('cell', { name: 'limited-test-vpc' })).toBeHidden()
+})