diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 64d01cf7369..99cb957ea7d 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -858,17 +858,18 @@ rules:
 - apiGroups:
   - services.platform.opendatahub.io
   resources:
-  - auths/status
-  - monitorings/status
+  - auths/finalizers
+  - monitorings/finalizers
   verbs:
-  - get
-  - patch
   - update
 - apiGroups:
   - services.platform.opendatahub.io
   resources:
-  - monitorings/finalizers
+  - auths/status
+  - monitorings/status
   verbs:
+  - get
+  - patch
   - update
 - apiGroups:
   - serving.knative.dev
diff --git a/controllers/datasciencecluster/kubebuilder_rbac.go b/controllers/datasciencecluster/kubebuilder_rbac.go
index 66435ac31e8..6a54687d76c 100644
--- a/controllers/datasciencecluster/kubebuilder_rbac.go
+++ b/controllers/datasciencecluster/kubebuilder_rbac.go
@@ -235,3 +235,4 @@ package datasciencecluster
 // Auth
 // +kubebuilder:rbac:groups=services.platform.opendatahub.io,resources=auths,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=services.platform.opendatahub.io,resources=auths/status,verbs=get;update;patch
+// +kubebuilder:rbac:groups=services.platform.opendatahub.io,resources=auths/finalizers,verbs=update
diff --git a/controllers/services/auth/auth_controller.go b/controllers/services/auth/auth_controller.go
index 226fc857d0e..c9be7fc97f7 100644
--- a/controllers/services/auth/auth_controller.go
+++ b/controllers/services/auth/auth_controller.go
@@ -25,6 +25,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	serviceApi "github.com/opendatahub-io/opendatahub-operator/v2/apis/services/v1alpha1"
+	"github.com/opendatahub-io/opendatahub-operator/v2/pkg/controller/actions/deploy"
 	"github.com/opendatahub-io/opendatahub-operator/v2/pkg/controller/actions/render/template"
 	"github.com/opendatahub-io/opendatahub-operator/v2/pkg/controller/reconciler"
 )
@@ -54,6 +55,9 @@ func NewServiceReconciler(ctx context.Context, mgr ctrl.Manager) error {
 		)).
 		WithAction(copyGroups).
 		WithAction(managePermissions).
+		WithAction(deploy.NewAction(
+			deploy.WithCache(),
+		)).
 		WithAction(setStatus).
 		Build(ctx)
 
diff --git a/controllers/services/auth/auth_controller_actions.go b/controllers/services/auth/auth_controller_actions.go
index 8b374972bbd..a764e6e26eb 100644
--- a/controllers/services/auth/auth_controller_actions.go
+++ b/controllers/services/auth/auth_controller_actions.go
@@ -141,7 +141,7 @@ func bindRole(ctx context.Context, rr *odhtypes.ReconciliationRequest, groups []
 			Name:     roleName,
 		},
 	}
-	err := rr.Client.Update(ctx, rb)
+	err := rr.AddResources(rb)
 	if err != nil {
 		return errors.New("error creating RoleBinding for group")
 	}
@@ -199,13 +199,6 @@ func managePermissions(ctx context.Context, rr *odhtypes.ReconciliationRequest)
 		return errors.New("instance is not of type *services.Auth")
 	}
 
-	for _, role := range rr.Resources {
-		err := rr.Client.Update(ctx, &role)
-		if err != nil {
-			return err
-		}
-	}
-
 	err := bindRole(ctx, rr, ai.Spec.AdminGroups, "admingroup-rolebinding", "admingroup-role")
 	if err != nil {
 		return err