diff --git a/api/v1beta2/capsuleconfiguration_types.go b/api/v1beta2/capsuleconfiguration_types.go
index a5854b51..0112831e 100644
--- a/api/v1beta2/capsuleconfiguration_types.go
+++ b/api/v1beta2/capsuleconfiguration_types.go
@@ -14,6 +14,8 @@ type CapsuleConfigurationSpec struct {
 	// Names of the groups for Capsule users.
 	// +kubebuilder:default={capsule.clastix.io}
 	UserGroups []string `json:"userGroups,omitempty"`
+	// Names of the groups for Capsule users.
+	ExcludeUserGroups []string `json:"excludeUserGroups,omitempty"`
 	// Enforces the Tenant owner, during Namespace creation, to name it using the selected Tenant name as prefix,
 	// separated by a dash. This is useful to avoid Namespace name collision in a public CaaS environment.
 	// +kubebuilder:default=false
diff --git a/pkg/webhook/utils/is_tenant_owner.go b/pkg/webhook/utils/is_tenant_owner.go
index aede3d61..46d06e59 100644
--- a/pkg/webhook/utils/is_tenant_owner.go
+++ b/pkg/webhook/utils/is_tenant_owner.go
@@ -9,7 +9,7 @@ import (
 	capsulev1beta2 "github.com/clastix/capsule/api/v1beta2"
 )
 
-func IsTenantOwner(owners capsulev1beta1.OwnerListSpec, userInfo authenticationv1.UserInfo, capsuleUserName string) bool {
+func IsTenantOwner(owners capsulev1beta2.OwnerListSpec, userInfo authenticationv1.UserInfo, capsuleUserName string) bool {
 	if userInfo.Username == capsuleUserName {
 		return true
 	}