diff --git a/pkg/apiserver/authorization/authorizerfactory/rbac.go b/pkg/apiserver/authorization/authorizerfactory/rbac.go
index 53aae31a5..a39cbaeb2 100644
--- a/pkg/apiserver/authorization/authorizerfactory/rbac.go
+++ b/pkg/apiserver/authorization/authorizerfactory/rbac.go
@@ -249,7 +249,7 @@ func (r *RBACAuthorizer) visitRulesFor(requestAttributes authorizer.Attributes,
 			workspace = requestAttributes.GetWorkspace()
 		}
 
-		if workspaceRoleBindings, err := r.am.ListWorkspaceRoleBindings("", requestAttributes.GetWorkspace()); err != nil {
+		if workspaceRoleBindings, err := r.am.ListWorkspaceRoleBindings("", workspace); err != nil {
 			if !visitor(nil, "", nil, err) {
 				return
 			}
diff --git a/pkg/models/iam/am/am.go b/pkg/models/iam/am/am.go
index 90d1d46cb..2c43baca1 100644
--- a/pkg/models/iam/am/am.go
+++ b/pkg/models/iam/am/am.go
@@ -843,12 +843,12 @@ func (am *amOperator) CreateOrUpdateNamespaceRole(namespace string, role *rbacv1
 	var aggregateRoles []string
 	if err := json.Unmarshal([]byte(role.Annotations[iamv1alpha2.AggregationRolesAnnotation]), &aggregateRoles); err == nil {
 		for _, roleName := range aggregateRoles {
-			role, err := am.GetNamespaceRole(namespace, roleName)
+			aggregationRole, err := am.GetNamespaceRole(namespace, roleName)
 			if err != nil {
 				klog.Error(err)
 				return nil, err
 			}
-			role.Rules = append(role.Rules, role.Rules...)
+			role.Rules = append(role.Rules, aggregationRole.Rules...)
 		}
 	}