diff --git a/pkg/api/org_users.go b/pkg/api/org_users.go
index b0c7c807cc0..c44561f6357 100644
--- a/pkg/api/org_users.go
+++ b/pkg/api/org_users.go
@@ -381,16 +381,23 @@ func (hs *HTTPServer) UpdateOrgUser(c *contextmodel.ReqContext) response.Respons
 
 func (hs *HTTPServer) updateOrgUserHelper(c *contextmodel.ReqContext, cmd org.UpdateOrgUserCommand) response.Response {
 	if !cmd.Role.IsValid() {
-		return response.Error(400, "Invalid role specified", nil)
+		return response.Error(http.StatusBadRequest, "Invalid role specified", nil)
 	}
 	if !c.OrgRole.Includes(cmd.Role) && !c.IsGrafanaAdmin {
 		return response.Error(http.StatusForbidden, "Cannot assign a role higher than user's role", nil)
 	}
 	if err := hs.orgService.UpdateOrgUser(c.Req.Context(), &cmd); err != nil {
 		if errors.Is(err, org.ErrLastOrgAdmin) {
-			return response.Error(400, "Cannot change role so that there is no organization admin left", nil)
+			return response.Error(http.StatusBadRequest, "Cannot change role so that there is no organization admin left", nil)
 		}
-		return response.Error(500, "Failed update org user", err)
+		return response.Error(http.StatusInternalServerError, "Failed update org user", err)
+	}
+
+	if !hs.accesscontrolService.IsDisabled() {
+		hs.accesscontrolService.ClearUserPermissionCache(&user.SignedInUser{
+			UserID: cmd.UserID,
+			OrgID:  cmd.OrgID,
+		})
 	}
 
 	return response.Success("Organization user updated")
diff --git a/pkg/api/org_users_test.go b/pkg/api/org_users_test.go
index 2f2d0cd8f7f..e4ae7c5b0e7 100644
--- a/pkg/api/org_users_test.go
+++ b/pkg/api/org_users_test.go
@@ -630,6 +630,7 @@ func TestOrgUsersAPIEndpointWithSetPerms_AccessControl(t *testing.T) {
 					ExpectedUser:         &user.User{},
 					ExpectedSignedInUser: userWithPermissions(1, tt.permissions),
 				}
+				hs.accesscontrolService = &actest.FakeService{}
 			})
 
 			u := userWithPermissions(1, tt.permissions)
@@ -703,6 +704,7 @@ func TestPatchOrgUsersAPIEndpoint_AccessControl(t *testing.T) {
 				hs.Cfg.RBACEnabled = tt.enableAccessControl
 				hs.orgService = &orgtest.FakeOrgService{}
 				hs.authInfoService = &logintest.AuthInfoServiceFake{}
+				hs.accesscontrolService = &actest.FakeService{}
 				hs.userService = &usertest.FakeUserService{
 					ExpectedUser:         &user.User{},
 					ExpectedSignedInUser: userWithPermissions(1, tt.permissions),