diff --git a/roles/ipa/client/handlers/main.yml b/roles/ipa/client/handlers/main.yml
new file mode 100644
index 0000000000..a8c0d4f5a3
--- /dev/null
+++ b/roles/ipa/client/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: clean sss caches
+  command: sss_cache -E
diff --git a/roles/ipa/client/tasks/hbac.yml b/roles/ipa/client/tasks/hbac.yml
index 12f4ad0dc8..74b361cdde 100644
--- a/roles/ipa/client/tasks/hbac.yml
+++ b/roles/ipa/client/tasks/hbac.yml
@@ -14,6 +14,7 @@
     state: present
     group:
       - sysadmin-main
+  notify: clean sss caches
   no_log: true
   loop: "{{ ipa_servers }}"
   when: ipa_servers is defined
@@ -24,6 +25,7 @@
     name: "usergroup/sysadmin-main"
     ipaadmin_password: "{{ ipa_server_admin_passwords[item] }}"
     state: enabled
+  notify: clean sss caches
   no_log: true
   loop: "{{ ipa_servers }}"
   when: ipa_servers is defined
@@ -34,6 +36,7 @@
     name: allow_all
     ipaadmin_password: "{{ ipa_server_admin_passwords[item] }}"
     state: disabled
+  notify: clean sss caches
   no_log: true
   loop: "{{ ipa_servers }}"
   when: ipa_servers is defined
@@ -49,6 +52,7 @@
     usercategory: "all"
     hbacsvcgroup:
       - Sudo
+  notify: clean sss caches
   no_log: true
   loop: "{{ ipa_servers }}"
   when: ipa_servers is defined
@@ -120,5 +124,6 @@
     action: member
     state: present
     group: "{{ ipa_server_host_groups_dict[item[0]][item[1]]['shell_groups'] }}"
+  notify: clean sss caches
   loop: "{{ ipa_server_host_groups }}"
   when: ipa_server_host_groups is defined and ipa_server_host_groups_dict[item[0]][item[1]]['shell_groups'] is defined
diff --git a/roles/ipa/client/tasks/main.yml b/roles/ipa/client/tasks/main.yml
index 0c4081e1fd..d36a65b192 100644
--- a/roles/ipa/client/tasks/main.yml
+++ b/roles/ipa/client/tasks/main.yml
@@ -26,6 +26,7 @@
          -U -N --force-join
          --mkhomedir
     creates: /etc/ipa/default.conf
+  notify: clean sss caches
   tags:
     - ipa/client
     - config
diff --git a/roles/ipa/client/tasks/sudo.yml b/roles/ipa/client/tasks/sudo.yml
index 8507c69b34..33a7fda035 100644
--- a/roles/ipa/client/tasks/sudo.yml
+++ b/roles/ipa/client/tasks/sudo.yml
@@ -14,6 +14,7 @@
     runasgroupcategory: "all"
     group:
       - sysadmin-main
+  notify: clean sss caches
   no_log: true
   loop: "{{ ipa_servers }}"
   when: ipa_servers is defined
@@ -30,5 +31,6 @@
     cmdcategory: "all"
     runasusercategory: "all"
     runasgroupcategory: "all"
+  notify: clean sss caches
   loop: "{{ ipa_server_host_groups }}"
   when: ipa_server_host_groups is defined and ipa_server_host_groups_dict[item[0]][item[1]]['sudo_groups'] is defined