diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 5406ca0..5796852 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -80,31 +80,31 @@ rules:
   - patch
   - update
 - apiGroups:
-  - group.openshift.io
+  - rbac.authorization.k8s.io
   resources:
-  - users
+  - clusterrolebindings
   verbs:
-  - create
-  - delete
   - get
   - list
-  - patch
-  - update
   - watch
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:
-  - clusterrolebindings
+  - rolebindings
   verbs:
+  - create
   - get
   - list
+  - patch
+  - update
   - watch
 - apiGroups:
-  - rbac.authorization.k8s.io
+  - user.openshift.io
   resources:
-  - rolebindings
+  - groups
   verbs:
   - create
+  - delete
   - get
   - list
   - patch
diff --git a/controllers/groupsync_controller.go b/controllers/groupsync_controller.go
index a9ccd7a..312eda3 100644
--- a/controllers/groupsync_controller.go
+++ b/controllers/groupsync_controller.go
@@ -40,7 +40,7 @@ const OrganizationMembersManifestName = "members"
 
 const UpstreamFinalizerPrefix = "agent.appuio.io/group-zone-"
 
-//+kubebuilder:rbac:groups=group.openshift.io,resources=users,verbs=get;list;watch;update;patch;create;delete
+//+kubebuilder:rbac:groups=user.openshift.io,resources=groups,verbs=get;list;watch;update;patch;create;delete
 
 // Reconcile syncs the Group with the upstream OrganizationMembers or Team resource from the foreign (Control-API) cluster.
 func (r *GroupSyncReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {