diff --git a/apis/user/v1alpha1/normalize.go b/apis/user/v1alpha1/normalize.go
new file mode 100644
index 0000000..1449b53
--- /dev/null
+++ b/apis/user/v1alpha1/normalize.go
@@ -0,0 +1,21 @@
+package v1alpha1
+
+import "github.com/edgefarm/vault-plugin-secrets-nats/pkg/claims/user/v1alpha1"
+
+func FixEmptySlices(params *v1alpha1.UserClaims) {
+	if params == nil {
+		return
+	}
+	if params.Permissions.Pub.Allow == nil {
+		params.Permissions.Pub.Allow = []string{}
+	}
+	if params.Permissions.Pub.Deny == nil {
+		params.Permissions.Pub.Deny = []string{}
+	}
+	if params.Permissions.Sub.Allow == nil {
+		params.Permissions.Sub.Allow = []string{}
+	}
+	if params.Permissions.Sub.Deny == nil {
+		params.Permissions.Sub.Deny = []string{}
+	}
+}
diff --git a/internal/clients/issue/user.go b/internal/clients/issue/user.go
index ddff848..88e26d5 100644
--- a/internal/clients/issue/user.go
+++ b/internal/clients/issue/user.go
@@ -6,31 +6,12 @@ import (
 	v1alpha1 "github.com/edgefarm/provider-natssecrets/apis/user/v1alpha1"
 	vault "github.com/edgefarm/provider-natssecrets/internal/clients"
 	natsbackend "github.com/edgefarm/vault-plugin-secrets-nats"
-	vaultv1alpha1 "github.com/edgefarm/vault-plugin-secrets-nats/pkg/claims/user/v1alpha1"
 )
 
 func UserPath(mount string, operator string, account string, user string) string {
 	return mount + "/issue/operator/" + operator + "/account/" + account + "/user/" + user
 }
 
-func fixEmptySlices(params *vaultv1alpha1.UserClaims) {
-	if params == nil {
-		return
-	}
-	if params.Permissions.Pub.Allow == nil {
-		params.Permissions.Pub.Allow = []string{}
-	}
-	if params.Permissions.Pub.Deny == nil {
-		params.Permissions.Pub.Deny = []string{}
-	}
-	if params.Permissions.Sub.Allow == nil {
-		params.Permissions.Sub.Allow = []string{}
-	}
-	if params.Permissions.Sub.Deny == nil {
-		params.Permissions.Sub.Deny = []string{}
-	}
-}
-
 func ReadUser(c *vault.Client, operator string, account string, user string) (*v1alpha1.UserParameters, *natsbackend.IssueUserStatus, error) {
 	path := UserPath(c.Mount, operator, account, user)
 
@@ -39,7 +20,7 @@ func ReadUser(c *vault.Client, operator string, account string, user string) (*v
 		return nil, nil, err
 	}
 	if resp != nil {
-		fixEmptySlices(&resp.Claims)
+		v1alpha1.FixEmptySlices(&resp.Claims)
 		return &v1alpha1.UserParameters{
 			Operator:      resp.Operator,
 			Account:       resp.Account,
diff --git a/internal/controller/user/user.go b/internal/controller/user/user.go
index 94cbde4..2f1bbd9 100644
--- a/internal/controller/user/user.go
+++ b/internal/controller/user/user.go
@@ -166,7 +166,7 @@ func (c *external) Observe(ctx context.Context, mg resource.Managed) (managed.Ex
 	if !ok {
 		return managed.ExternalObservation{}, errors.New(errNotUser)
 	}
-
+	v1alpha1.FixEmptySlices(&cr.Spec.ForProvider.Claims)
 	user, err := getExternalName(cr)
 	if err != nil {
 		return managed.ExternalObservation{}, err