diff --git a/pkg/cluster/cluster.go b/pkg/cluster/cluster.go
index 66ec0dc60..85f60b601 100644
--- a/pkg/cluster/cluster.go
+++ b/pkg/cluster/cluster.go
@@ -133,8 +133,10 @@ func New(cfg Config, kubeClient k8sutil.KubernetesClient, pgSpec acidv1.Postgres
 			Services:  make(map[PostgresRole]*v1.Service),
 			Endpoints: make(map[PostgresRole]*v1.Endpoints)},
 		userSyncStrategy: users.DefaultUserSyncStrategy{
-			PasswordEncryption: passwordEncryption,
-			RoleDeletionSuffix: cfg.OpConfig.RoleDeletionSuffix},
+			PasswordEncryption:   passwordEncryption,
+			RoleDeletionSuffix:   cfg.OpConfig.RoleDeletionSuffix,
+			AdditionalOwnerRoles: cfg.OpConfig.AdditionalOwnerRoles,
+		},
 		deleteOptions:       metav1.DeleteOptions{PropagationPolicy: &deletePropagationPolicy},
 		podEventsQueue:      podEventsQueue,
 		KubeClient:          kubeClient,
diff --git a/pkg/cluster/sync.go b/pkg/cluster/sync.go
index 68f0f62e1..a34279533 100644
--- a/pkg/cluster/sync.go
+++ b/pkg/cluster/sync.go
@@ -657,7 +657,7 @@ func (c *Cluster) syncSecrets() error {
 			return fmt.Errorf("could not init db connection: %v", err)
 		}
 		pgSyncRequests := c.userSyncStrategy.ProduceSyncRequests(spec.PgUserMap{}, rotationUsers)
-		if err = c.userSyncStrategy.ExecuteSyncRequests(pgSyncRequests, c.pgDb, c.OpConfig.AdditionalOwnerRoles); err != nil {
+		if err = c.userSyncStrategy.ExecuteSyncRequests(pgSyncRequests, c.pgDb); err != nil {
 			return fmt.Errorf("error creating database roles for password rotation: %v", err)
 		}
 		if err := c.closeDbConn(); err != nil {
@@ -872,7 +872,7 @@ func (c *Cluster) syncRoles() (err error) {
 	}
 
 	pgSyncRequests := c.userSyncStrategy.ProduceSyncRequests(dbUsers, c.pgUsers)
-	if err = c.userSyncStrategy.ExecuteSyncRequests(pgSyncRequests, c.pgDb, c.OpConfig.AdditionalOwnerRoles); err != nil {
+	if err = c.userSyncStrategy.ExecuteSyncRequests(pgSyncRequests, c.pgDb); err != nil {
 		return fmt.Errorf("error executing sync statements: %v", err)
 	}
 
diff --git a/pkg/spec/types.go b/pkg/spec/types.go
index 2f2caba08..02f67d253 100644
--- a/pkg/spec/types.go
+++ b/pkg/spec/types.go
@@ -75,7 +75,7 @@ type PgSyncUserRequest struct {
 // UserSyncer defines an interface for the implementations to sync users from the manifest to the DB.
 type UserSyncer interface {
 	ProduceSyncRequests(dbUsers PgUserMap, newUsers PgUserMap) (req []PgSyncUserRequest)
-	ExecuteSyncRequests(req []PgSyncUserRequest, db *sql.DB, additionalOwners []string) error
+	ExecuteSyncRequests(req []PgSyncUserRequest, db *sql.DB) error
 }
 
 // LogEntry describes log entry in the RingLogger
diff --git a/pkg/util/users/users.go b/pkg/util/users/users.go
index fafd06c35..7aa5fe242 100644
--- a/pkg/util/users/users.go
+++ b/pkg/util/users/users.go
@@ -32,8 +32,9 @@ const (
 // an existing roles of another role membership, nor it removes the already assigned flag
 // (except for the NOLOGIN). TODO: process other NOflags, i.e. NOSUPERUSER correctly.
 type DefaultUserSyncStrategy struct {
-	PasswordEncryption string
-	RoleDeletionSuffix string
+	PasswordEncryption   string
+	RoleDeletionSuffix   string
+	AdditionalOwnerRoles []string
 }
 
 // ProduceSyncRequests figures out the types of changes that need to happen with the given users.
@@ -104,7 +105,7 @@ func (strategy DefaultUserSyncStrategy) ProduceSyncRequests(dbUsers spec.PgUserM
 }
 
 // ExecuteSyncRequests makes actual database changes from the requests passed in its arguments.
-func (strategy DefaultUserSyncStrategy) ExecuteSyncRequests(requests []spec.PgSyncUserRequest, db *sql.DB, additionalOwnerRoles []string) error {
+func (strategy DefaultUserSyncStrategy) ExecuteSyncRequests(requests []spec.PgSyncUserRequest, db *sql.DB) error {
 	var reqretries []spec.PgSyncUserRequest
 	errors := make([]string, 0)
 	for _, request := range requests {
@@ -120,8 +121,8 @@ func (strategy DefaultUserSyncStrategy) ExecuteSyncRequests(requests []spec.PgSy
 				errors = append(errors, fmt.Sprintf("could not alter user %q: %v", request.User.Name, err))
 				// check if additional owners are misconfigured as members to a database owner
 				// resolve it by revoking the database owner from the additional owner role
-				if request.User.IsDbOwner && len(additionalOwnerRoles) > 0 {
-					if err := resolveOwnerMembership(request.User, additionalOwnerRoles, db); err != nil {
+				if request.User.IsDbOwner && len(strategy.AdditionalOwnerRoles) > 0 {
+					if err := resolveOwnerMembership(request.User, strategy.AdditionalOwnerRoles, db); err != nil {
 						errors = append(errors, fmt.Sprintf("could not resolve owner membership for %q: %v", request.User.Name, err))
 					}
 				}
@@ -146,7 +147,7 @@ func (strategy DefaultUserSyncStrategy) ExecuteSyncRequests(requests []spec.PgSy
 	// retry adding roles as long as the number of failed attempts is shrinking
 	if len(reqretries) > 0 {
 		if len(reqretries) < len(requests) {
-			if err := strategy.ExecuteSyncRequests(reqretries, db, additionalOwnerRoles); err != nil {
+			if err := strategy.ExecuteSyncRequests(reqretries, db); err != nil {
 				return err
 			}
 		} else {