diff --git a/u4a-component/templates/oidc-server/iam-provider-rbac.yaml b/u4a-component/templates/oidc-server/iam-provider-rbac.yaml
index dda5da4..9912250 100644
--- a/u4a-component/templates/oidc-server/iam-provider-rbac.yaml
+++ b/u4a-component/templates/oidc-server/iam-provider-rbac.yaml
@@ -2,12 +2,13 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: t7d.io.user-role
+  name: t7d.io.iam-provider
 rules:
 - apiGroups:
   - iam.tenxcloud.com
   resources:
   - users
+  - groups
   verbs:
   - create
   - delete
@@ -57,12 +58,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: t7d.io.user-provider
+  name: t7d.io.iam-provider
   namespace: {{ .Release.Namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: t7d.io.user-role
+  name: t7d.io.iam-provider
 subjects:
 - kind: ServiceAccount
   name: oidc-server