diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index e76734c..1407b01 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -5,18 +5,6 @@ metadata:
   creationTimestamp: null
   name: manager-role
 rules:
-  - apiGroups:
-      - ""
-    resources:
-      - secrets
-    verbs:
-      - create
-      - delete
-      - get
-      - list
-      - patch
-      - update
-      - watch
   - apiGroups:
       - cerberus.snappcloud.io
     resources:
@@ -109,3 +97,23 @@ rules:
       - get
       - patch
       - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  name: manager-role
+  namespace: "'cerberus-system'"
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
diff --git a/controllers/accesstoken_controller.go b/controllers/accesstoken_controller.go
index d7f1fb4..68ea76d 100644
--- a/controllers/accesstoken_controller.go
+++ b/controllers/accesstoken_controller.go
@@ -58,6 +58,7 @@ func (r *AccessTokenReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 
 // SetupWithManager sets up the controller with the Manager.
 func (r *AccessTokenReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	// TODO: reconcile on secret change
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&cerberusv1alpha1.AccessToken{}).
 		Complete(r)
diff --git a/pkg/auth/authenticator.go b/pkg/auth/authenticator.go
index 5a852e1..6d06eec 100644
--- a/pkg/auth/authenticator.go
+++ b/pkg/auth/authenticator.go
@@ -48,7 +48,7 @@ const (
 //+kubebuilder:rbac:groups=cerberus.snappcloud.io,resources=webservices/status,verbs=get;
 //+kubebuilder:rbac:groups=cerberus.snappcloud.io,resources=webserviceaccountbindings,verbs=get;list;watch;
 //+kubebuilder:rbac:groups=cerberus.snappcloud.io,resources=webserviceaccountbindings/status,verbs=get;
-//+kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;create;update;patch;delete
+//+kubebuilder:rbac:groups="",namespace='cerberus-system',resources=secrets,verbs=get;list;watch;create;update;patch;delete
 
 // TODO add Secrets to be watched
 func (a *Authenticator) UpdateCache(c client.Client, ctx context.Context, readOnly bool) error {
@@ -79,6 +79,7 @@ func (a *Authenticator) UpdateCache(c client.Client, ctx context.Context, readOn
 	// TODO find cleaner way to select
 	err = c.List(ctx, secrets,
 		client.MatchingLabels{"cerberus.snappcloud.io/secret": "true"},
+		client.InNamespace("cerberus-system"),
 	)
 	if err != nil {
 		return err