diff --git a/controllers/auth_config_controller.go b/controllers/auth_config_controller.go
index e871c961..9140e322 100644
--- a/controllers/auth_config_controller.go
+++ b/controllers/auth_config_controller.go
@@ -183,13 +183,13 @@ func (r *AuthConfigReconciler) translateAuthConfig(ctx context.Context, authConf
 	for identityCfgName, identity := range authConfigIdentityConfigs {
 		extendedProperties := make([]evaluators.IdentityExtension, len(identity.Defaults)+len(identity.Overrides))
 		for propertyName, property := range identity.Defaults {
-			extendedProperties = append(extendedProperties, evaluators.NewIdentityExtension(propertyName, &json.JSONValue{
+			extendedProperties = append(extendedProperties, evaluators.NewIdentityExtension(propertyName, json.JSONValue{
 				Static:  property.Value,
 				Pattern: property.Selector,
 			}, false))
 		}
 		for propertyName, property := range identity.Overrides {
-			extendedProperties = append(extendedProperties, evaluators.NewIdentityExtension(propertyName, &json.JSONValue{
+			extendedProperties = append(extendedProperties, evaluators.NewIdentityExtension(propertyName, json.JSONValue{
 				Static:  property.Value,
 				Pattern: property.Selector,
 			}, true))
diff --git a/install/manifests.yaml b/install/manifests.yaml
index ece6c6bb..e269754d 100644
--- a/install/manifests.yaml
+++ b/install/manifests.yaml
@@ -5254,6 +5254,80 @@ kind: ClusterRole
 metadata:
   name: authorino-manager-role
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - configmaps/status
+  verbs:
+  - delete
+  - get
+  - patch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - create
+  - get
+  - list
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - create
+  - get
+  - list
+  - update
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 - apiGroups:
   - authorino.kuadrant.io
   resources:
@@ -5274,6 +5348,12 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
 - apiGroups:
   - coordination.k8s.io
   resources:
@@ -5291,3 +5371,69 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - operator.authorino.kuadrant.io
+  resources:
+  - authorinos
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - operator.authorino.kuadrant.io
+  resources:
+  - authorinos/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - operator.authorino.kuadrant.io
+  resources:
+  - authorinos/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterrolebindings
+  verbs:
+  - create
+  - get
+  - list
+  - update
+  - watch
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterroles
+  verbs:
+  - create
+  - get
+  - list
+  - update
+  - watch
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings
+  verbs:
+  - create
+  - get
+  - list
+  - update
+  - watch
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - roles
+  verbs:
+  - create
+  - get
+  - list
+  - update
+  - watch
diff --git a/install/rbac/role.yaml b/install/rbac/role.yaml
index 69520e9e..2328df39 100644
--- a/install/rbac/role.yaml
+++ b/install/rbac/role.yaml
@@ -4,6 +4,80 @@ kind: ClusterRole
 metadata:
   name: manager-role
 rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - configmaps/status
+  verbs:
+  - delete
+  - get
+  - patch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - serviceaccounts
+  verbs:
+  - create
+  - get
+  - list
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - create
+  - get
+  - list
+  - update
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
 - apiGroups:
   - authorino.kuadrant.io
   resources:
@@ -24,6 +98,12 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
 - apiGroups:
   - coordination.k8s.io
   resources:
@@ -41,3 +121,69 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - operator.authorino.kuadrant.io
+  resources:
+  - authorinos
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - operator.authorino.kuadrant.io
+  resources:
+  - authorinos/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - operator.authorino.kuadrant.io
+  resources:
+  - authorinos/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterrolebindings
+  verbs:
+  - create
+  - get
+  - list
+  - update
+  - watch
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - clusterroles
+  verbs:
+  - create
+  - get
+  - list
+  - update
+  - watch
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings
+  verbs:
+  - create
+  - get
+  - list
+  - update
+  - watch
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - roles
+  verbs:
+  - create
+  - get
+  - list
+  - update
+  - watch
diff --git a/pkg/evaluators/identity.go b/pkg/evaluators/identity.go
index 0bce9cbf..01608d47 100644
--- a/pkg/evaluators/identity.go
+++ b/pkg/evaluators/identity.go
@@ -199,11 +199,13 @@ func (config *IdentityConfig) ResolveExtendedProperties(pipeline auth.AuthPipeli
 	authJSON := pipeline.GetAuthorizationJSON()
 
 	for _, extendedProperty := range config.ExtendedProperties {
-		resolved, err := extendedProperty.ResolveFor(extendedIdentityObject, authJSON)
-		if err != nil {
-			return nil, err
+		if extendedProperty.Value != nil {
+			resolved, err := extendedProperty.ResolveFor(extendedIdentityObject, authJSON)
+			if err != nil {
+				return nil, err
+			}
+			extendedIdentityObject[extendedProperty.Name] = resolved
 		}
-		extendedIdentityObject[extendedProperty.Name] = resolved
 	}
 
 	return extendedIdentityObject, nil
diff --git a/pkg/evaluators/identity_extension.go b/pkg/evaluators/identity_extension.go
index 63dc87a9..bbea29fc 100644
--- a/pkg/evaluators/identity_extension.go
+++ b/pkg/evaluators/identity_extension.go
@@ -1,15 +1,14 @@
 package evaluators
 
 import (
-	"github.com/kuadrant/authorino/pkg/expressions"
 	"github.com/kuadrant/authorino/pkg/json"
 )
 
-func NewIdentityExtension(name string, value expressions.Value, overwrite bool) IdentityExtension {
+func NewIdentityExtension(name string, value json.JSONValue, overwrite bool) IdentityExtension {
 	return IdentityExtension{
 		JSONProperty: json.JSONProperty{
 			Name:  name,
-			Value: value,
+			Value: &value,
 		},
 		Overwrite: overwrite,
 	}
diff --git a/pkg/evaluators/identity_extension_test.go b/pkg/evaluators/identity_extension_test.go
index 34ee0f2b..922c1765 100644
--- a/pkg/evaluators/identity_extension_test.go
+++ b/pkg/evaluators/identity_extension_test.go
@@ -23,62 +23,62 @@ func TestResolveIdentityExtension(t *testing.T) {
 	}{
 		{
 			name:     "static value for existing property without overwrite",
-			input:    NewIdentityExtension("username", &json.JSONValue{Static: "foo"}, false),
+			input:    NewIdentityExtension("username", json.JSONValue{Static: "foo"}, false),
 			expected: "beth",
 		},
 		{
 			name:     "static value for missing property without overwrite",
-			input:    NewIdentityExtension("uid", &json.JSONValue{Static: "foo"}, false),
+			input:    NewIdentityExtension("uid", json.JSONValue{Static: "foo"}, false),
 			expected: "foo",
 		},
 		{
 			name:     "static value for existing property without overwrite",
-			input:    NewIdentityExtension("username", &json.JSONValue{Static: "foo"}, true),
+			input:    NewIdentityExtension("username", json.JSONValue{Static: "foo"}, true),
 			expected: "foo",
 		},
 		{
 			name:     "static value for missing property without overwrite",
-			input:    NewIdentityExtension("uid", &json.JSONValue{Static: "foo"}, true),
+			input:    NewIdentityExtension("uid", json.JSONValue{Static: "foo"}, true),
 			expected: "foo",
 		},
 		{
 			name:     "existing pattern for existing property without overwrite",
-			input:    NewIdentityExtension("username", &json.JSONValue{Pattern: "auth.identity.sub"}, false),
+			input:    NewIdentityExtension("username", json.JSONValue{Pattern: "auth.identity.sub"}, false),
 			expected: "beth",
 		},
 		{
 			name:     "existing pattern for missing property without overwrite",
-			input:    NewIdentityExtension("uid", &json.JSONValue{Pattern: "auth.identity.sub"}, false),
+			input:    NewIdentityExtension("uid", json.JSONValue{Pattern: "auth.identity.sub"}, false),
 			expected: "1234567890",
 		},
 		{
 			name:     "existing pattern for existing property without overwrite",
-			input:    NewIdentityExtension("username", &json.JSONValue{Pattern: "auth.identity.sub"}, true),
+			input:    NewIdentityExtension("username", json.JSONValue{Pattern: "auth.identity.sub"}, true),
 			expected: "1234567890",
 		},
 		{
 			name:     "existing pattern for missing property without overwrite",
-			input:    NewIdentityExtension("uid", &json.JSONValue{Pattern: "auth.identity.sub"}, true),
+			input:    NewIdentityExtension("uid", json.JSONValue{Pattern: "auth.identity.sub"}, true),
 			expected: "1234567890",
 		},
 		{
 			name:     "missing pattern for existing property without overwrite",
-			input:    NewIdentityExtension("username", &json.JSONValue{Pattern: "auth.identity.full_name"}, false),
+			input:    NewIdentityExtension("username", json.JSONValue{Pattern: "auth.identity.full_name"}, false),
 			expected: "beth",
 		},
 		{
 			name:     "missing pattern for missing property without overwrite",
-			input:    NewIdentityExtension("uid", &json.JSONValue{Pattern: "auth.identity.full_name"}, false),
+			input:    NewIdentityExtension("uid", json.JSONValue{Pattern: "auth.identity.full_name"}, false),
 			expected: "",
 		},
 		{
 			name:     "missing pattern for existing property without overwrite",
-			input:    NewIdentityExtension("username", &json.JSONValue{Pattern: "auth.identity.full_name"}, true),
+			input:    NewIdentityExtension("username", json.JSONValue{Pattern: "auth.identity.full_name"}, true),
 			expected: "",
 		},
 		{
 			name:     "missing pattern for missing property without overwrite",
-			input:    NewIdentityExtension("uid", &json.JSONValue{Pattern: "auth.identity.full_name"}, true),
+			input:    NewIdentityExtension("uid", json.JSONValue{Pattern: "auth.identity.full_name"}, true),
 			expected: "",
 		},
 	}
diff --git a/pkg/evaluators/identity_test.go b/pkg/evaluators/identity_test.go
index 39620adf..8e16f6f2 100644
--- a/pkg/evaluators/identity_test.go
+++ b/pkg/evaluators/identity_test.go
@@ -41,8 +41,8 @@ func TestIdentityConfig_ResolveExtendedProperties(t *testing.T) {
 		Name:           "test",
 		KubernetesAuth: &identity.KubernetesAuth{},
 		ExtendedProperties: []IdentityExtension{
-			NewIdentityExtension("prop1", &json.JSONValue{Static: "value1"}, true),
-			NewIdentityExtension("prop2", &json.JSONValue{Pattern: "auth.identity.sub"}, true),
+			NewIdentityExtension("prop1", json.JSONValue{Static: "value1"}, true),
+			NewIdentityExtension("prop2", json.JSONValue{Pattern: "auth.identity.sub"}, true),
 		},
 	}