diff --git a/changelogs/fragments/569-heconf-permissions.yml b/changelogs/fragments/569-heconf-permissions.yml
new file mode 100644
index 00000000..3a3e6ef1
--- /dev/null
+++ b/changelogs/fragments/569-heconf-permissions.yml
@@ -0,0 +1,3 @@
+---
+bugfixes:
+    - hosted_engine_setup - fix hosted-engine.conf permissions and ownership (https://github.com/oVirt/ovirt-ansible-collection/pull/569).
diff --git a/roles/hosted_engine_setup/tasks/create_target_vm/03_hosted_engine_final_tasks.yml b/roles/hosted_engine_setup/tasks/create_target_vm/03_hosted_engine_final_tasks.yml
index d9c1547d..0d8503c3 100644
--- a/roles/hosted_engine_setup/tasks/create_target_vm/03_hosted_engine_final_tasks.yml
+++ b/roles/hosted_engine_setup/tasks/create_target_vm/03_hosted_engine_final_tasks.yml
@@ -147,15 +147,22 @@
       path: /var/run/ovirt-hosted-engine-ha
       state: directory
       mode: 0755
-  - name: Copy configuration files to the right location on host
+  - name: Copy vm.conf to the right location on host
     ansible.builtin.copy:
       remote_src: true
-      src: "{{ item.src }}"
-      dest: "{{ item.dest }}"
-      mode: 0644
-    with_items:
-      - {src: "{{ he_local_vm_dir }}/vm.conf", dest: /var/run/ovirt-hosted-engine-ha}
-      - {src: "{{ he_local_vm_dir }}/hosted-engine.conf", dest: /etc/ovirt-hosted-engine/}
+      src: "{{ he_local_vm_dir }}/vm.conf"
+      dest: "/var/run/ovirt-hosted-engine-ha"
+      owner: 'vdsm'
+      group: 'kvm'
+      mode: 0640
+  - name: Copy hosted-engine.conf to the right location on host
+    ansible.builtin.copy:
+      remote_src: true
+      src: "{{ he_local_vm_dir }}/hosted-engine.conf"
+      dest: "/etc/ovirt-hosted-engine/"
+      owner: 'vdsm'
+      group: 'kvm'
+      mode: 0440
   - name: Check fapolicyd status
     ansible.builtin.systemd:
       name: fapolicyd