diff --git a/apps/jumpserver/views/celery_flower.py b/apps/jumpserver/views/celery_flower.py
index 0ec4a0fe1..abc288bf2 100644
--- a/apps/jumpserver/views/celery_flower.py
+++ b/apps/jumpserver/views/celery_flower.py
@@ -14,7 +14,7 @@ __all__ = ['celery_flower_view']
 
 @csrf_exempt
 def celery_flower_view(request, path):
-    if not request.user.is_superuser:
+    if not request.user.has_perm('ops.view_taskmonitor'):
         return HttpResponse("Forbidden")
     remote_url = 'http://{}/{}'.format(flower_url, path)
     try:
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index a0c2964c4..fe7b2de2d 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -3111,15 +3111,15 @@ msgstr "如果有疑问或需求，请联系系统管理员"
 
 #: rbac/api/role.py:32
 msgid "Internal role, can't be destroy"
-msgstr ""
+msgstr "内部角色，不能删除"
 
 #: rbac/api/role.py:36
 msgid "The role has been bound to users, can't be destroy"
-msgstr ""
+msgstr "角色已绑定用户，不能删除"
 
 #: rbac/api/role.py:43
 msgid "Internal role, can't be update"
-msgstr ""
+msgstr "内部角色，不能更新"
 
 #: rbac/api/rolebinding.py:46
 msgid "{} at least one system role"
diff --git a/apps/rbac/const.py b/apps/rbac/const.py
index d7f58e841..99e03123d 100644
--- a/apps/rbac/const.py
+++ b/apps/rbac/const.py
@@ -102,7 +102,8 @@ only_system_permissions = (
     ('terminal', 'replaystorage', '*', '*'),
     ('terminal', 'status', '*', '*'),
     ('terminal', 'task', '*', '*'),
-    ('tickets', 'ticketflow', '*', '*'),
+    ('tickets', '*', '*', '*'),
+    ('authentication', '*', '*', '*'),
 )
 
 only_org_permissions = (
diff --git a/apps/rbac/models/rolebinding.py b/apps/rbac/models/rolebinding.py
index 55061e230..3aa04955d 100644
--- a/apps/rbac/models/rolebinding.py
+++ b/apps/rbac/models/rolebinding.py
@@ -15,11 +15,9 @@ __all__ = ['RoleBinding', 'SystemRoleBinding', 'OrgRoleBinding']
 class RoleBindingManager(models.Manager):
     def get_queryset(self):
         queryset = super(RoleBindingManager, self).get_queryset()
-
+        q = Q(scope=Scope.system)
         if not current_org.is_root():
-            q = Q(scope=Scope.system) | Q(org_id=current_org.id, scope=Scope.org)
-        else:
-            q = Q()
+            q |= Q(org_id=current_org.id, scope=Scope.org)
         queryset = queryset.filter(q)
         return queryset