diff --git a/api/v1alpha1/servicebinding_validating_webhook.go b/api/v1alpha1/servicebinding_validating_webhook.go
index 46b86d28..65a86266 100644
--- a/api/v1alpha1/servicebinding_validating_webhook.go
+++ b/api/v1alpha1/servicebinding_validating_webhook.go
@@ -18,6 +18,7 @@ package v1alpha1
 
 import (
 	"fmt"
+	"reflect"
 
 	"k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
@@ -60,33 +61,7 @@ func (sb *ServiceBinding) ValidateUpdate(old runtime.Object) error {
 
 func (sb *ServiceBinding) specChanged(old runtime.Object) bool {
 	oldBinding := old.(*ServiceBinding)
-
-	if changed := sb.paramsFromChanged(oldBinding); changed {
-		return true
-	}
-
-	return sb.Spec.ExternalName != oldBinding.Spec.ExternalName ||
-		sb.Spec.ServiceInstanceName != oldBinding.Spec.ServiceInstanceName ||
-		// TODO + labels
-		//r.Spec.Labels != oldBinding.Spec.Labels ||
-		sb.Spec.Parameters.String() != oldBinding.Spec.Parameters.String() ||
-		sb.Spec.SecretName != oldBinding.Spec.SecretName
-}
-
-func (sb *ServiceBinding) paramsFromChanged(oldBinding *ServiceBinding) bool {
-	if len(sb.Spec.ParametersFrom) != len(oldBinding.Spec.ParametersFrom) {
-		return true
-	}
-	for i, paramFrom := range sb.Spec.ParametersFrom {
-		if paramFrom.SecretKeyRef != nil && oldBinding.Spec.ParametersFrom[i].SecretKeyRef != nil {
-			if *paramFrom.SecretKeyRef != *oldBinding.Spec.ParametersFrom[i].SecretKeyRef {
-				return true
-			}
-		} else if paramFrom.SecretKeyRef != oldBinding.Spec.ParametersFrom[i].SecretKeyRef {
-			return true
-		}
-	}
-	return false
+	return !reflect.DeepEqual(oldBinding.Spec, sb.Spec)
 }
 
 // ValidateDelete implements webhook.Validator so a webhook will be registered for the type
diff --git a/api/v1alpha1/webhooks/servicebinding_mutating_webhook.go b/api/v1alpha1/webhooks/servicebinding_mutating_webhook.go
index d2456fc3..36424cef 100644
--- a/api/v1alpha1/webhooks/servicebinding_mutating_webhook.go
+++ b/api/v1alpha1/webhooks/servicebinding_mutating_webhook.go
@@ -9,6 +9,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
 	"github.com/SAP/sap-btp-service-operator/api/v1alpha1"
+	v1admission "k8s.io/api/admission/v1"
 	v1 "k8s.io/api/authentication/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
@@ -47,11 +48,13 @@ func (s *ServiceBindingDefaulter) Handle(_ context.Context, req admission.Reques
 		binding.Spec.SecretName = binding.Name
 	}
 
-	binding.Spec.UserInfo = &v1.UserInfo{
-		Username: req.UserInfo.Username,
-		UID:      req.UserInfo.UID,
-		Groups:   req.UserInfo.Groups,
-		Extra:    req.UserInfo.Extra,
+	if req.Operation == v1admission.Create || req.Operation == v1admission.Delete {
+		binding.Spec.UserInfo = &v1.UserInfo{
+			Username: req.UserInfo.Username,
+			UID:      req.UserInfo.UID,
+			Groups:   req.UserInfo.Groups,
+			Extra:    req.UserInfo.Extra,
+		}
 	}
 
 	marshaledInstance, err := json.Marshal(binding)
diff --git a/api/v1alpha1/webhooks/serviceinstance_mutating_webhook.go b/api/v1alpha1/webhooks/serviceinstance_mutating_webhook.go
index 89727abb..c731220a 100644
--- a/api/v1alpha1/webhooks/serviceinstance_mutating_webhook.go
+++ b/api/v1alpha1/webhooks/serviceinstance_mutating_webhook.go
@@ -5,11 +5,14 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"reflect"
+
+	v1admission "k8s.io/api/admission/v1"
+	v1 "k8s.io/api/authentication/v1"
 
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
 	"github.com/SAP/sap-btp-service-operator/api/v1alpha1"
-	v1 "k8s.io/api/authentication/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
 	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
@@ -42,11 +45,10 @@ func (s *ServiceInstanceDefaulter) Handle(_ context.Context, req admission.Reque
 		instancelog.Info("externalName not provided, defaulting to k8s name", "name", instance.Name)
 		instance.Spec.ExternalName = instance.Name
 	}
-	instance.Spec.UserInfo = &v1.UserInfo{
-		Username: req.UserInfo.Username,
-		UID:      req.UserInfo.UID,
-		Groups:   req.UserInfo.Groups,
-		Extra:    req.UserInfo.Extra,
+
+	err = s.setServiceInstanceUserInfo(req, instance)
+	if err != nil {
+		return admission.Errored(http.StatusInternalServerError, err)
 	}
 
 	marshaledInstance, err := json.Marshal(instance)
@@ -56,6 +58,28 @@ func (s *ServiceInstanceDefaulter) Handle(_ context.Context, req admission.Reque
 	return admission.PatchResponseFromRaw(req.Object.Raw, marshaledInstance)
 }
 
+func (s *ServiceInstanceDefaulter) setServiceInstanceUserInfo(req admission.Request, instance *v1alpha1.ServiceInstance) error {
+	userInfo := &v1.UserInfo{
+		Username: req.UserInfo.Username,
+		UID:      req.UserInfo.UID,
+		Groups:   req.UserInfo.Groups,
+		Extra:    req.UserInfo.Extra,
+	}
+	if req.Operation == v1admission.Create || req.Operation == v1admission.Delete {
+		instance.Spec.UserInfo = userInfo
+	} else if req.Operation == v1admission.Update {
+		oldInstance := &v1alpha1.ServiceInstance{}
+		err := s.decoder.DecodeRaw(req.OldObject, oldInstance)
+		if err != nil {
+			return err
+		}
+		if !reflect.DeepEqual(oldInstance.Spec, instance.Spec) {
+			instance.Spec.UserInfo = userInfo
+		}
+	}
+	return nil
+}
+
 func (s *ServiceInstanceDefaulter) InjectDecoder(d *admission.Decoder) error {
 	s.decoder = d
 	return nil