diff --git a/config/rbac/controller/role.yaml b/config/rbac/controller/role.yaml
index d6b0131a..11e67220 100644
--- a/config/rbac/controller/role.yaml
+++ b/config/rbac/controller/role.yaml
@@ -179,6 +179,14 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - rbac.appuio.io
+  resources:
+  - users
+  verbs:
+  - create
+  - patch
+  - update
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:
diff --git a/controllers/default_organization_controller.go b/controllers/default_organization_controller.go
index a879d182..1ef9f8b6 100644
--- a/controllers/default_organization_controller.go
+++ b/controllers/default_organization_controller.go
@@ -24,7 +24,8 @@ type DefaultOrganizationReconciler struct {
 }
 
 //+kubebuilder:rbac:groups=appuio.io,resources=organizationmembers,verbs=get;list;watch
-//+kubebuilder:rbac:groups=appuio.io,resources=users,verbs=get;list;watch;update;patch
+//+kubebuilder:rbac:groups=appuio.io,resources=users,verbs=get;list;watch
+//+kubebuilder:rbac:groups=rbac.appuio.io,resources=users,verbs=create;update;patch
 //+kubebuilder:rbac:groups=appuio.io,resources=users/status,verbs=get
 
 // Reconcile reacts on changes of memberships and sets members' default organization if appropriate