diff --git a/apps/authentication/api/connection_token.py b/apps/authentication/api/connection_token.py
index 37c51c10f..f88490c27 100644
--- a/apps/authentication/api/connection_token.py
+++ b/apps/authentication/api/connection_token.py
@@ -327,11 +327,11 @@ class UserConnectionTokenViewSet(
     }
     CACHE_KEY_PREFIX = 'CONNECTION_TOKEN_{}'
     rbac_perms = {
-        'GET': 'view_connectiontoken',
-        'create': 'add_connectiontoken',
-        'get_secret_detail': 'view_connectiontokensecret',
-        'get_rdp_file': 'add_connectiontoken',
-        'get_client_protocol_url': 'add_connectiontoken',
+        'GET': 'authentication.view_connectiontoken',
+        'create': 'authentication.add_connectiontoken',
+        'get_secret_detail': 'authentication.view_connectiontokensecret',
+        'get_rdp_file': 'authentication.add_connectiontoken',
+        'get_client_protocol_url': 'authentication.add_connectiontoken',
     }
 
     @staticmethod
diff --git a/apps/rbac/builtin.py b/apps/rbac/builtin.py
index 3a68fa563..63b9b661a 100644
--- a/apps/rbac/builtin.py
+++ b/apps/rbac/builtin.py
@@ -31,7 +31,7 @@ if len(defines_errors) != 0:
     raise ValueError('Perms define error: {}'.format(defines_errors))
 
 
-class PreRole:
+class PredefineRole:
     id_prefix = '00000000-0000-0000-0000-00000000000'
 
     def __init__(self, index, name, scope, perms, perms_type='include'):
@@ -45,7 +45,7 @@ class PreRole:
         from rbac.models import Role
         return Role.objects.get(id=self.id)
 
-    def get_defaults(self):
+    def _get_defaults(self):
         from rbac.models import Permission
         q = Permission.get_define_permissions_q(self.perms)
         permissions = Permission.get_permissions(self.scope)
@@ -66,7 +66,7 @@ class PreRole:
 
     def get_or_create_role(self):
         from rbac.models import Role
-        defaults = self.get_defaults()
+        defaults = self._get_defaults()
         permissions = defaults.pop('permissions', [])
         role, created = Role.objects.get_or_create(defaults, id=self.id)
         role.permissions.set(permissions)
@@ -74,25 +74,25 @@ class PreRole:
 
 
 class BuiltinRole:
-    system_admin = PreRole(
+    system_admin = PredefineRole(
         '1', ugettext_noop('SystemAdmin'), Scope.system, []
     )
-    system_auditor = PreRole(
+    system_auditor = PredefineRole(
         '2', ugettext_noop('SystemAuditor'), Scope.system, auditor_perms
     )
-    system_component = PreRole(
+    system_component = PredefineRole(
         '4', ugettext_noop('SystemComponent'), Scope.system, app_exclude_perms, 'exclude'
     )
-    system_user = PreRole(
+    system_user = PredefineRole(
         '3', ugettext_noop('User'), Scope.system, []
     )
-    org_admin = PreRole(
+    org_admin = PredefineRole(
         '5', ugettext_noop('OrgAdmin'), Scope.org, []
     )
-    org_auditor = PreRole(
+    org_auditor = PredefineRole(
         '6', ugettext_noop('OrgAuditor'), Scope.org, auditor_perms
     )
-    org_user = PreRole(
+    org_user = PredefineRole(
         '7', ugettext_noop('OrgUser'), Scope.org, user_perms
     )
 
@@ -101,7 +101,7 @@ class BuiltinRole:
         roles = {
             k: v
             for k, v in cls.__dict__.items()
-            if isinstance(v, PreRole)
+            if isinstance(v, PredefineRole)
         }
         return roles
 
diff --git a/apps/rbac/migrations/0004_auto_20211201_1901.py b/apps/rbac/migrations/0004_auto_20211201_1901.py
index 74664784e..36736f254 100644
--- a/apps/rbac/migrations/0004_auto_20211201_1901.py
+++ b/apps/rbac/migrations/0004_auto_20211201_1901.py
@@ -14,11 +14,7 @@ def migrate_system_role_binding(apps, schema_editor):
     role_bindings = []
     for user in users:
         role = BuiltinRole.get_system_role_by_old_name(user.role)
-        role_binding = role_binding_model(
-            scope='system',
-            user_id=user.id,
-            role_id=role.id,
-        )
+        role_binding = role_binding_model(scope='system', user_id=user.id, role_id=role.id)
         role_bindings.append(role_binding)
     role_binding_model.objects.bulk_create(role_bindings, ignore_conflicts=True)
 
diff --git a/apps/rbac/models/role.py b/apps/rbac/models/role.py
index 75e8adb31..bcfa37595 100644
--- a/apps/rbac/models/role.py
+++ b/apps/rbac/models/role.py
@@ -49,10 +49,10 @@ class Role(JMSModel):
         return '%s(%s)' % (self.name, self.get_scope_display())
 
     def is_system_admin(self):
-        return self.name == self.BuiltinRole.system_admin.name and self.builtin
+        return self.id == self.BuiltinRole.system_admin.id and self.builtin
 
     def is_org_admin(self):
-        return self.name == self.BuiltinRole.org_admin.name and self.builtin
+        return self.id == self.BuiltinRole.org_admin.id and self.builtin
 
     def is_admin(self):
         yes = self.is_system_admin() or self.is_org_admin()
diff --git a/apps/users/migrations/0039_auto_20211229_1852.py b/apps/users/migrations/0039_auto_20211229_1852.py
index 3e0b5b749..f83b76144 100644
--- a/apps/users/migrations/0039_auto_20211229_1852.py
+++ b/apps/users/migrations/0039_auto_20211229_1852.py
@@ -6,7 +6,7 @@ from django.db import migrations, models
 def migrate_app_users(apps, schema_editor):
     user_model = apps.get_model('users', 'User')
     app_users = user_model.objects.filter(role='App')
-    app_users.update(is_app=True)
+    app_users.update(is_service_account=True)
 
 
 class Migration(migrations.Migration):
@@ -18,8 +18,8 @@ class Migration(migrations.Migration):
     operations = [
         migrations.AddField(
             model_name='user',
-            name='is_app',
-            field=models.BooleanField(default=False),
+            name='is_service_account',
+            field=models.BooleanField(default=False, verbose_name='Is service account'),
         ),
         migrations.RunPython(migrate_app_users),
         migrations.AlterModelOptions(
diff --git a/apps/users/models/user.py b/apps/users/models/user.py
index 4eedba48f..3d3b45096 100644
--- a/apps/users/models/user.py
+++ b/apps/users/models/user.py
@@ -270,9 +270,14 @@ class RoleMixin:
     @lazyproperty
     def is_superuser(self):
         from rbac.builtin import BuiltinRole
-        names = [r.name for r in self.system_roles.all()]
-        yes = BuiltinRole.system_admin.name in names
-        return yes
+        return self.system_roles.filter(id=BuiltinRole.system_admin.id).exists()
+
+    @lazyproperty
+    def is_org_admin(self):
+        from rbac.builtin import BuiltinRole
+        if self.is_superuser:
+            return True
+        return self.org_roles.filter(id=BuiltinRole.org_admin.id).exists()
 
     @property
     def is_staff(self):
@@ -286,8 +291,8 @@ class RoleMixin:
     def create_service_account(cls, name, comment):
         app = cls.objects.create(
             username=name, name=name, email='{}@local.domain'.format(name),
-            is_active=False, comment=comment, is_first_login=False,
-            created_by='System', is_app=True,
+            comment=comment, is_first_login=False,
+            created_by='System', is_service_account=True,
         )
         access_key = app.create_access_key()
         return app, access_key
@@ -319,7 +324,7 @@ class RoleMixin:
 
     @classmethod
     def get_nature_users(cls):
-        return cls.objects.filter(is_app=False)
+        return cls.objects.filter(is_service_account=False)
 
     @classmethod
     def get_org_users(cls, org=None):
@@ -528,7 +533,7 @@ class User(AuthMixin, TokenMixin, RoleMixin, MFAMixin, AbstractUser):
         default='User', max_length=10,
         blank=True, verbose_name=_('Role')
     )
-    is_app = models.BooleanField(default=False)
+    is_service_account = models.BooleanField(default=False, verbose_name=_("Is service account"))
     avatar = models.ImageField(
         upload_to="avatar", null=True, verbose_name=_('Avatar')
     )
diff --git a/apps/users/serializers/user.py b/apps/users/serializers/user.py
index a66211ba0..7c8184460 100644
--- a/apps/users/serializers/user.py
+++ b/apps/users/serializers/user.py
@@ -101,7 +101,7 @@ class UserSerializer(RolesSerializerMixin, CommonBulkSerializerMixin, serializer
         fields_small = fields_mini + fields_write_only + [
             'email', 'wechat', 'phone', 'mfa_level', 'source', 'source_display',
             'can_public_key_auth', 'need_update_password',
-            'mfa_enabled', 'is_app', 'is_valid', 'is_expired', 'is_active',  # 布尔字段
+            'mfa_enabled', 'is_service_account', 'is_valid', 'is_expired', 'is_active',  # 布尔字段
             'date_expired', 'date_joined', 'last_login',  # 日期字段
             'created_by', 'comment',  # 通用字段
             'is_wecom_bound', 'is_dingtalk_bound', 'is_feishu_bound', 'is_otp_secret_key_bound',
@@ -132,7 +132,7 @@ class UserSerializer(RolesSerializerMixin, CommonBulkSerializerMixin, serializer
             'public_key': {'write_only': True},
             'is_first_login': {'label': _('Is first login'), 'read_only': True},
             'is_valid': {'label': _('Is valid')},
-            'is_app':  {'label': _('Is app user')},
+            'is_service_account':  {'label': _('Is service account')},
             'is_expired': {'label': _('Is expired')},
             'avatar_url': {'label': _('Avatar url')},
             'created_by': {'read_only': True, 'allow_blank': True},