diff --git a/controllers/cfapi_auth.go b/controllers/cfapi_auth.go
index 135777c..4f7e7eb 100644
--- a/controllers/cfapi_auth.go
+++ b/controllers/cfapi_auth.go
@@ -16,6 +16,8 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log"
 )
 
+const OIDC_USER_PREFIX = "sap.ids:"
+
 func (r *CFAPIReconciler) getUserClusterAdmins(ctx context.Context) ([]rbacv1.Subject, error) {
 	subjects := []rbacv1.Subject{}
 	crblist := &rbacv1.ClusterRoleBindingList{}
@@ -67,6 +69,13 @@ func (r *CFAPIReconciler) assignCfAdministrators(ctx context.Context, subjects [
 		}
 	}
 
+	//add prefix sap.ids: for all user names without prefix
+	for _, subject := range _subjects {
+		if subject.Kind == "User" && !strings.HasPrefix(subject.Name, OIDC_USER_PREFIX) {
+			subject.Name = OIDC_USER_PREFIX + subject.Name
+		}
+	}
+
 	rb := &rbacv1.RoleBinding{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "cfapi-admins-binding",