diff --git a/pkg/apis/v1alpha/iam/iam_handler.go b/pkg/apis/v1alpha/iam/iam_handler.go
index f5d971ff7..6063fe159 100644
--- a/pkg/apis/v1alpha/iam/iam_handler.go
+++ b/pkg/apis/v1alpha/iam/iam_handler.go
@@ -25,6 +25,7 @@ import (
 	"strings"
 	"kubesphere.io/kubesphere/pkg/constants"
 	"k8s.io/api/rbac/v1"
+	"k8s.io/kubernetes/pkg/util/slice"
 )
 
 func Register(ws *restful.WebService) {
@@ -86,7 +87,9 @@ func roleUsersHandler(req *restful.Request, resp *restful.Response) {
 
 	for _, roleBinding := range roleBindings {
 		for _, subject := range roleBinding.Subjects {
-			if subject.Kind == v1.UserKind {
+			if subject.Kind == v1.UserKind &&
+				!strings.HasPrefix(subject.Name, "system") &&
+				!slice.ContainsString(users, subject.Name, nil) {
 				users = append(users, subject.Name)
 			}
 		}
@@ -110,7 +113,8 @@ func clusterRoleUsersHandler(req *restful.Request, resp *restful.Response) {
 
 	for _, roleBinding := range roleBindings {
 		for _, subject := range roleBinding.Subjects {
-			if subject.Kind == v1.UserKind {
+			if subject.Kind == v1.UserKind && !strings.HasPrefix(subject.Name, "system") &&
+				!slice.ContainsString(users, subject.Name, nil) {
 				users = append(users, subject.Name)
 			}
 		}
diff --git a/pkg/apis/v1alpha/iam/policy.go b/pkg/apis/v1alpha/iam/policy.go
index 9b6516985..161130b53 100644
--- a/pkg/apis/v1alpha/iam/policy.go
+++ b/pkg/apis/v1alpha/iam/policy.go
@@ -41,7 +41,7 @@ type userRuleList struct {
 	Rules        map[string][]rule `json:"rules"`
 }
 
-// TODO design all frontend-facing rules
+// TODO stored in etcd, allow updates
 var (
 	clusterRoleRuleGroup = []rule{projectsManagement, userManagement, roleManagement, registryManagement,
 		volumeManagement, storageclassManagement, nodeManagement, appCatalogManagement, appManagement}
diff --git a/pkg/models/roles.go b/pkg/models/roles.go
index 5de506b9d..a52af2504 100644
--- a/pkg/models/roles.go
+++ b/pkg/models/roles.go
@@ -33,7 +33,7 @@ func GetClusterRoleBindings(name string) ([]v1.ClusterRoleBinding, error) {
 		}
 	}
 
-	return roleBindingList.Items, nil
+	return items, nil
 }
 
 func GetRoleBindings(namespace string, name string) ([]v1.RoleBinding, error) {
@@ -53,7 +53,7 @@ func GetRoleBindings(namespace string, name string) ([]v1.RoleBinding, error) {
 		}
 	}
 
-	return roleBindingList.Items, nil
+	return items, nil
 }
 
 func GetClusterRole(name string) (*v1.ClusterRole, error) {