diff --git a/apps/assets/api/account/account.py b/apps/assets/api/account/account.py
index ebcfb1f09..9e2697adb 100644
--- a/apps/assets/api/account/account.py
+++ b/apps/assets/api/account/account.py
@@ -1,20 +1,23 @@
 from django.shortcuts import get_object_or_404
 from rest_framework.decorators import action
-from rest_framework.response import Response
 from rest_framework.generics import CreateAPIView, ListAPIView
+from rest_framework.response import Response
 
-from orgs.mixins.api import OrgBulkModelViewSet
-
-from common.mixins import RecordViewLogMixin
-from assets.models import Account, Asset
-from assets.filters import AccountFilterSet
-from assets.tasks import verify_accounts_connectivity
 from assets import serializers
+from assets.filters import AccountFilterSet
+from assets.models import Account, Asset
+from assets.tasks import verify_accounts_connectivity
+from authentication.const import ConfirmType
+from common.mixins import RecordViewLogMixin
+from common.permissions import UserConfirmation
+from orgs.mixins.api import OrgBulkModelViewSet
 
 __all__ = [
     'AccountViewSet', 'AccountSecretsViewSet', 'AccountTaskCreateAPI', 'AccountHistoriesSecretAPI'
 ]
 
+from rbac.permissions import RBACPermission
+
 
 class AccountViewSet(OrgBulkModelViewSet):
     model = Account
@@ -62,8 +65,7 @@ class AccountSecretsViewSet(RecordViewLogMixin, AccountViewSet):
         'default': serializers.AccountSecretSerializer,
     }
     http_method_names = ['get', 'options']
-    # Todo: 记得打开
-    # permission_classes = [RBACPermission, UserConfirmation.require(ConfirmType.MFA)]
+    permission_classes = [RBACPermission, UserConfirmation.require(ConfirmType.MFA)]
     rbac_perms = {
         'list': 'assets.view_accountsecret',
         'retrieve': 'assets.view_accountsecret',
@@ -110,4 +112,5 @@ class AccountTaskCreateAPI(CreateAPIView):
     def get_exception_handler(self):
         def handler(e, context):
             return Response({"error": str(e)}, status=400)
+
         return handler
diff --git a/apps/assets/serializers/account/account.py b/apps/assets/serializers/account/account.py
index f8186d13e..218155b66 100644
--- a/apps/assets/serializers/account/account.py
+++ b/apps/assets/serializers/account/account.py
@@ -1,15 +1,15 @@
 from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers
 
-from common.drf.serializers import SecretReadableMixin
-from common.drf.fields import ObjectRelatedField, LabeledChoiceField
-from assets.tasks import push_accounts_to_assets
-from assets.models import Account, AccountTemplate, Asset
-from .base import BaseAccountSerializer
 from assets.const import SecretType
+from assets.models import Account, AccountTemplate, Asset
+from assets.tasks import push_accounts_to_assets
+from common.drf.fields import ObjectRelatedField, LabeledChoiceField
+from common.drf.serializers import SecretReadableMixin, BulkModelSerializer
+from .base import BaseAccountSerializer
 
 
-class AccountSerializerCreateMixin(serializers.ModelSerializer):
+class AccountSerializerCreateMixin(BulkModelSerializer):
     template = serializers.UUIDField(
         required=False, allow_null=True, write_only=True,
         label=_('Account template')
@@ -53,11 +53,27 @@ class AccountSerializerCreateMixin(serializers.ModelSerializer):
         return instance
 
 
+class AccountAssetSerializer(serializers.ModelSerializer):
+    platform = ObjectRelatedField(read_only=True)
+
+    class Meta:
+        model = Asset
+        fields = ['id', 'name', 'address', 'platform']
+
+    def to_internal_value(self, data):
+        if isinstance(data, dict):
+            i = data.get('id')
+        else:
+            i = data
+
+        try:
+            return Asset.objects.get(id=i)
+        except Asset.DoesNotExist:
+            raise serializers.ValidationError(_('Asset not found'))
+
+
 class AccountSerializer(AccountSerializerCreateMixin, BaseAccountSerializer):
-    asset = ObjectRelatedField(
-        required=False, queryset=Asset.objects,
-        label=_('Asset'), attrs=('id', 'name', 'address', 'platform_id')
-    )
+    asset = AccountAssetSerializer(label=_('Asset'))
     su_from = ObjectRelatedField(
         required=False, queryset=Account.objects, allow_null=True, allow_empty=True,
         label=_('Su from'), attrs=('id', 'name', 'username')
@@ -66,22 +82,17 @@ class AccountSerializer(AccountSerializerCreateMixin, BaseAccountSerializer):
     class Meta(BaseAccountSerializer.Meta):
         model = Account
         fields = BaseAccountSerializer.Meta.fields \
-            + ['su_from', 'version', 'asset'] \
-            + ['template', 'push_now']
+                 + ['su_from', 'version', 'asset'] \
+                 + ['template', 'push_now']
         extra_kwargs = {
             **BaseAccountSerializer.Meta.extra_kwargs,
             'name': {'required': False, 'allow_null': True},
         }
 
-    def __init__(self, *args, data=None, **kwargs):
-        super().__init__(*args, data=data, **kwargs)
-        if data and 'name' not in data:
-            username = data.get('username')
-            if username is not None:
-                data['name'] = username
-        if hasattr(self, 'initial_data') and \
-                not getattr(self, 'initial_data', None):
-            delattr(self, 'initial_data')
+    def validate_name(self, value):
+        if not value:
+            value = self.initial_data.get('username')
+        return value
 
     @classmethod
     def setup_eager_loading(cls, queryset):
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index 256794ea4..72c101a71 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -872,7 +872,7 @@ msgstr "自动化任务执行历史"
 #: assets/models/automations/change_secret.py:15 assets/models/base.py:67
 #: assets/serializers/account/account.py:97 assets/serializers/base.py:13
 msgid "Secret type"
-msgstr "密问类型"
+msgstr "密文类型"
 
 #: assets/models/automations/change_secret.py:19
 #: assets/serializers/automations/change_secret.py:25