diff --git a/charts/t8s-cluster/templates/management-cluster/clusterClass/_authenticationConfig.yaml b/charts/t8s-cluster/templates/management-cluster/clusterClass/_authenticationConfig.yaml
index 9f7a67a41b..2a6aca9093 100644
--- a/charts/t8s-cluster/templates/management-cluster/clusterClass/_authenticationConfig.yaml
+++ b/charts/t8s-cluster/templates/management-cluster/clusterClass/_authenticationConfig.yaml
@@ -9,6 +9,8 @@ jwt:
     claimMappings:
       username:
         expression: claims.email
+      groups:
+        expression: dyn(claims.groups).map(g, "teuto.net:" + g)
     claimValidationRules:
       - expression: (has(claims.email_verified) && claims.email_verified) || !has(claims.email_verified)
         message: email must be verified
diff --git a/charts/t8s-cluster/templates/workload-cluster/rbac/teuto-clusterrolebinding.yaml b/charts/t8s-cluster/templates/workload-cluster/rbac/teuto-clusterrolebinding.yaml
new file mode 100644
index 0000000000..f328ce114b
--- /dev/null
+++ b/charts/t8s-cluster/templates/workload-cluster/rbac/teuto-clusterrolebinding.yaml
@@ -0,0 +1,15 @@
+{{- include "t8s-cluster.helm.resourceIntoCluster" (dict "name" "teuto-rbac" "resource" (include "t8s-cluster.rbac.teuto" (dict)) "context" $ "additionalLabels" (dict "app.kubernetes.io/component" "rbac")) | nindent 0 -}}
+
+{{- define "t8s-cluster.rbac.teuto" -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: teuto-staff
+subjects:
+  - kind: Group
+    name: teuto.net:staff
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+{{- end -}}