diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6d6a9bc4c..3a4099f34 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,6 +18,7 @@ adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 * Set default MySQL server version to `5.7.35`
 * Bump Orchestrator to `3.2.6`
 * Change policy/v1beta1 to policy/v1
+* Add RBAC permissions when deploying on OpenShift
 
 ### Removed
 
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 50902299a..218419b24 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -85,6 +85,12 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - mysql.presslabs.org
+  resources:
+  - mysqlbackups/finalizers
+  verbs:
+  - update
 - apiGroups:
   - mysql.presslabs.org
   resources:
@@ -98,10 +104,17 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - mysql.presslabs.org
+  resources:
+  - mysqlclusters/finalizers
+  verbs:
+  - update
 - apiGroups:
   - mysql.presslabs.org
   resources:
   - mysqldatabases
+  - mysqldatabases/finalizers
   - mysqldatabases/status
   verbs:
   - create
@@ -111,6 +124,12 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - mysql.presslabs.org
+  resources:
+  - mysqldatabases/finalizers
+  verbs:
+  - update
 - apiGroups:
   - mysql.presslabs.org
   resources:
diff --git a/deploy/charts/mysql-operator/templates/clusterrole.yaml b/deploy/charts/mysql-operator/templates/clusterrole.yaml
index 15e6281e8..f9c064f6a 100644
--- a/deploy/charts/mysql-operator/templates/clusterrole.yaml
+++ b/deploy/charts/mysql-operator/templates/clusterrole.yaml
@@ -85,6 +85,12 @@ rules:
     - patch
     - update
     - watch
+- apiGroups:
+    - mysql.presslabs.org
+  resources:
+    - mysqlbackups/finalizers
+  verbs:
+    - update
 - apiGroups:
     - mysql.presslabs.org
   resources:
@@ -98,10 +104,17 @@ rules:
     - patch
     - update
     - watch
+- apiGroups:
+    - mysql.presslabs.org
+  resources:
+    - mysqlclusters/finalizers
+  verbs:
+    - update
 - apiGroups:
     - mysql.presslabs.org
   resources:
     - mysqldatabases
+    - mysqldatabases/finalizers
     - mysqldatabases/status
   verbs:
     - create
@@ -111,6 +124,12 @@ rules:
     - patch
     - update
     - watch
+- apiGroups:
+    - mysql.presslabs.org
+  resources:
+    - mysqldatabases/finalizers
+  verbs:
+    - update
 - apiGroups:
     - mysql.presslabs.org
   resources:
diff --git a/pkg/controller/mysqlbackup/mysqlbackup_controller.go b/pkg/controller/mysqlbackup/mysqlbackup_controller.go
index 31bcd2603..96c0e086d 100644
--- a/pkg/controller/mysqlbackup/mysqlbackup_controller.go
+++ b/pkg/controller/mysqlbackup/mysqlbackup_controller.go
@@ -102,6 +102,7 @@ type ReconcileMysqlBackup struct {
 // Automatically generate RBAC rules to allow the Controller to read and write Deployments
 // +kubebuilder:rbac:groups=batch,resources=jobs,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=mysql.presslabs.org,resources=mysqlbackups;mysqlbackups/status,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=mysql.presslabs.org,resources=mysqlbackups/finalizers,verbs=update
 
 // Reconcile reads that state of the cluster for a MysqlBackup object and makes changes based on the state read
 // and what is in the MysqlBackup.Spec
diff --git a/pkg/controller/mysqlcluster/mysqlcluster_controller.go b/pkg/controller/mysqlcluster/mysqlcluster_controller.go
index bc5c4a208..81d80bf8a 100644
--- a/pkg/controller/mysqlcluster/mysqlcluster_controller.go
+++ b/pkg/controller/mysqlcluster/mysqlcluster_controller.go
@@ -137,6 +137,7 @@ type ReconcileMysqlCluster struct {
 // +kubebuilder:rbac:groups=apps,resources=statefulsets,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=core,resources=configmaps;secrets;services;events;jobs;pods;persistentvolumeclaims,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=mysql.presslabs.org,resources=mysqlclusters;mysqlclusters/status,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=mysql.presslabs.org,resources=mysqlclusters/finalizers,verbs=update
 // +kubebuilder:rbac:groups=policy,resources=poddisruptionbudgets,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=coordination.k8s.io,resources=leases,verbs=get;list;watch;create;update;patch;delete
 
diff --git a/pkg/controller/mysqldatabase/db_controller.go b/pkg/controller/mysqldatabase/db_controller.go
index db63ec13b..517069253 100644
--- a/pkg/controller/mysqldatabase/db_controller.go
+++ b/pkg/controller/mysqldatabase/db_controller.go
@@ -65,7 +65,8 @@ type ReconcileMySQLDatabase struct {
 var _ reconcile.Reconciler = &ReconcileMySQLDatabase{}
 
 // Automatically generate RBAC rules to allow the Controller to read and write Deployments
-// +kubebuilder:rbac:groups=mysql.presslabs.org,resources=mysqldatabases;mysqldatabases/status,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=mysql.presslabs.org,resources=mysqldatabases;mysqldatabases/status;mysqldatabases/finalizers,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=mysql.presslabs.org,resources=mysqldatabases/finalizers,verbs=update
 
 // Reconcile reads that state of the cluster for a Wordpress object and makes changes based on the state read
 // and what is in the Wordpress.Spec