diff --git a/go.mod b/go.mod
index 2fb14fa..f870e01 100644
--- a/go.mod
+++ b/go.mod
@@ -6,6 +6,7 @@ require (
 	github.com/crossplane/crossplane-runtime v0.19.1
 	github.com/crossplane/crossplane-tools v0.0.0-20220901191540-806c0b01097b
 	github.com/edgefarm/vault-plugin-secrets-nats v1.1.0
+	github.com/go-test/deep v1.0.2
 	github.com/google/go-cmp v0.5.9
 	github.com/hashicorp/vault/api v1.9.0
 	github.com/hashicorp/vault/sdk v0.8.1
diff --git a/go.sum b/go.sum
index f08cb66..61f45e7 100644
--- a/go.sum
+++ b/go.sum
@@ -138,6 +138,7 @@ github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/
 github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-test/deep v1.0.2 h1:onZX1rnHT3Wv6cqNgYyFOOlgVKJrksuCMCRvJStbMYw=
+github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
 github.com/gobuffalo/flect v1.0.2 h1:eqjPGSo2WmjgY2XlpGwo2NXgL3RucAKo4k4qQMNA5sA=
 github.com/gobuffalo/flect v1.0.2/go.mod h1:A5msMlrHtLqh9umBSnvabjsMrCcCpAyzglnDvkbYKHs=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
diff --git a/internal/clients/issue/user.go b/internal/clients/issue/user.go
index 2839292..ddff848 100644
--- a/internal/clients/issue/user.go
+++ b/internal/clients/issue/user.go
@@ -6,12 +6,31 @@ import (
 	v1alpha1 "github.com/edgefarm/provider-natssecrets/apis/user/v1alpha1"
 	vault "github.com/edgefarm/provider-natssecrets/internal/clients"
 	natsbackend "github.com/edgefarm/vault-plugin-secrets-nats"
+	vaultv1alpha1 "github.com/edgefarm/vault-plugin-secrets-nats/pkg/claims/user/v1alpha1"
 )
 
 func UserPath(mount string, operator string, account string, user string) string {
 	return mount + "/issue/operator/" + operator + "/account/" + account + "/user/" + user
 }
 
+func fixEmptySlices(params *vaultv1alpha1.UserClaims) {
+	if params == nil {
+		return
+	}
+	if params.Permissions.Pub.Allow == nil {
+		params.Permissions.Pub.Allow = []string{}
+	}
+	if params.Permissions.Pub.Deny == nil {
+		params.Permissions.Pub.Deny = []string{}
+	}
+	if params.Permissions.Sub.Allow == nil {
+		params.Permissions.Sub.Allow = []string{}
+	}
+	if params.Permissions.Sub.Deny == nil {
+		params.Permissions.Sub.Deny = []string{}
+	}
+}
+
 func ReadUser(c *vault.Client, operator string, account string, user string) (*v1alpha1.UserParameters, *natsbackend.IssueUserStatus, error) {
 	path := UserPath(c.Mount, operator, account, user)
 
@@ -20,6 +39,7 @@ func ReadUser(c *vault.Client, operator string, account string, user string) (*v
 		return nil, nil, err
 	}
 	if resp != nil {
+		fixEmptySlices(&resp.Claims)
 		return &v1alpha1.UserParameters{
 			Operator:      resp.Operator,
 			Account:       resp.Account,
diff --git a/internal/controller/user/user.go b/internal/controller/user/user.go
index c1784ab..94cbde4 100644
--- a/internal/controller/user/user.go
+++ b/internal/controller/user/user.go
@@ -30,6 +30,7 @@ import (
 	"github.com/crossplane/crossplane-runtime/pkg/connection"
 	"github.com/crossplane/crossplane-runtime/pkg/controller"
 	"github.com/crossplane/crossplane-runtime/pkg/event"
+	"github.com/crossplane/crossplane-runtime/pkg/logging"
 	"github.com/crossplane/crossplane-runtime/pkg/ratelimiter"
 	"github.com/crossplane/crossplane-runtime/pkg/reconciler/managed"
 	"github.com/crossplane/crossplane-runtime/pkg/resource"
@@ -44,6 +45,8 @@ import (
 	"github.com/edgefarm/provider-natssecrets/internal/clients/jwt"
 	"github.com/edgefarm/provider-natssecrets/internal/clients/nkey"
 	"github.com/edgefarm/provider-natssecrets/internal/controller/features"
+
+	deep "github.com/go-test/deep"
 )
 
 const (
@@ -69,7 +72,8 @@ func Setup(mgr ctrl.Manager, o controller.Options) error {
 		managed.WithExternalConnecter(&connector{
 			kube:         mgr.GetClient(),
 			usage:        resource.NewProviderConfigUsageTracker(mgr.GetClient(), &apisv1alpha1.ProviderConfigUsage{}),
-			newServiceFn: vault.NewRootClient}),
+			newServiceFn: vault.NewRootClient,
+			logger:       o.Logger}),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithConnectionPublishers(cps...))
@@ -87,6 +91,7 @@ type connector struct {
 	kube         client.Client
 	usage        resource.Tracker
 	newServiceFn func(creds []byte) (*vault.Client, error)
+	logger       logging.Logger
 }
 
 type ProviderConfigSecretSpec struct {
@@ -129,13 +134,17 @@ func (c *connector) Connect(ctx context.Context, mg resource.Managed) (managed.E
 		return nil, errors.Wrap(err, errNewClient)
 	}
 
-	return &external{client: client}, nil
+	return &external{
+		client: client,
+		log:    c.logger,
+	}, nil
 }
 
 // An ExternalClient observes, then either creates, updates, or deletes an
 // external resource to ensure it reflects the managed resource's desired state.
 type external struct {
 	client *vault.Client
+	log    logging.Logger
 }
 
 const (
@@ -179,6 +188,11 @@ func (c *external) Observe(ctx context.Context, mg resource.Managed) (managed.Ex
 		}, nil
 	}
 
+	diff := deep.Equal(*data, cr.Spec.ForProvider)
+	if diff != nil {
+		c.log.Debug("Observe", "user", user)
+		c.log.Debug("Compare failed", "diff", diff)
+	}
 	if !reflect.DeepEqual(data, &cr.Spec.ForProvider) {
 		return managed.ExternalObservation{
 			ResourceExists:    true,
@@ -247,7 +261,7 @@ func (c *external) Observe(ctx context.Context, mg resource.Managed) (managed.Ex
 			ResourceUpToDate: true,
 		}, nil
 	}
-	if j == nil {
+	if userCreds == nil {
 		cr.SetConditions(xpv1.Creating().WithMessage("Waiting for user creds to be created"))
 		return managed.ExternalObservation{
 			ResourceExists:   true,