diff --git a/apps/rbac/builtin.py b/apps/rbac/builtin.py
index c99181d4e..179889111 100644
--- a/apps/rbac/builtin.py
+++ b/apps/rbac/builtin.py
@@ -2,15 +2,6 @@ from django.utils.translation import ugettext_noop
 
 from .const import Scope, system_exclude_permissions, org_exclude_permissions
 
-system_user_perms = (
-    ('authentication', 'connectiontoken', 'add', 'connectiontoken'),
-    ('authentication', 'temptoken', 'add,change,view', 'temptoken'),
-    ('authentication', 'accesskey', '*', '*'),
-    ('tickets', 'ticket', 'view', 'ticket'),
-    ('orgs', 'organization', 'view', 'rootorg'),
-)
-
-# Todo: 获取应该区分 系统用户，和组织用户的权限
 # 工作台也区分组织后再考虑
 user_perms = (
     ('rbac', 'menupermission', 'view', 'workbench'),
@@ -25,6 +16,14 @@ user_perms = (
     ('ops', 'commandexecution', 'add', 'commandexecution'),
 )
 
+system_user_perms = (
+    ('authentication', 'connectiontoken', 'add', 'connectiontoken'),
+    ('authentication', 'temptoken', 'add,change,view', 'temptoken'),
+    ('authentication', 'accesskey', '*', '*'),
+    ('tickets', 'ticket', 'view', 'ticket'),
+    ('orgs', 'organization', 'view', 'rootorg'),
+) + user_perms
+
 auditor_perms = user_perms + (
     ('rbac', 'menupermission', 'view', 'audit'),
     ('audits', '*', '*', '*'),
diff --git a/apps/rbac/models/rolebinding.py b/apps/rbac/models/rolebinding.py
index 643e38207..dc09f75d2 100644
--- a/apps/rbac/models/rolebinding.py
+++ b/apps/rbac/models/rolebinding.py
@@ -6,7 +6,7 @@ from rest_framework.serializers import ValidationError
 
 from common.db.models import JMSModel
 from common.utils import lazyproperty
-from orgs.utils import current_org
+from orgs.utils import current_org, tmp_to_root_org
 from .role import Role
 from ..const import Scope
 
@@ -105,7 +105,8 @@ class RoleBinding(JMSModel):
         from orgs.models import Organization
 
         roles = Role.get_roles_by_perm(perm)
-        bindings = list(cls.objects.root_all().filter(role__in=roles, user=user))
+        with tmp_to_root_org():
+            bindings = list(cls.objects.root_all().filter(role__in=roles, user=user))
         system_bindings = [b for b in bindings if b.scope == Role.Scope.system.value]
 
         if perm == 'rbac.view_workbench':