diff --git a/internal/biz/enum/const.go b/internal/biz/enum/const.go
index 88926055..218f4bfc 100644
--- a/internal/biz/enum/const.go
+++ b/internal/biz/enum/const.go
@@ -27,7 +27,8 @@ func init() {
 	BuildRoles["admin"] = map[string]interface{}{
 		"id":          "admin",
 		"name":        "管理员",
-		"platform":    []string{"system.role:all", "system.user:all"},
+		"type":        "console",
+		"platform":    AdminPrivilege,
 		"builtin":     true,
 		"description": "is admin",
 		"created":     time.Now(),
diff --git a/internal/biz/validate.go b/internal/biz/validate.go
index 37b3ec35..b35ffad9 100644
--- a/internal/biz/validate.go
+++ b/internal/biz/validate.go
@@ -135,3 +135,27 @@ func CombineUserRoles(roleNames []string) RolePermission {
 	newRole.IndexPrivilege = m
 	return newRole
 }
+func FilterCluster(roles []string, cluster []string) []string {
+	newRole := CombineUserRoles(roles)
+	userClusterMap := make(map[string]struct{}, 0)
+	for _, v := range newRole.Cluster {
+		userClusterMap[v] = struct{}{}
+	}
+	realCluster := make([]string, 0)
+	for _, v := range cluster {
+		if _, ok := userClusterMap[v]; ok {
+			realCluster = append(realCluster, v)
+		}
+	}
+	return realCluster
+}
+func FilterIndex(roles []string, index []string) []string {
+	realIndex := make([]string, 0)
+	newRole := CombineUserRoles(roles)
+	for _, v := range index {
+		if _, ok := newRole.IndexPrivilege[v]; ok {
+			realIndex = append(realIndex, v)
+		}
+	}
+	return realIndex
+}
diff --git a/internal/biz/validate_test.go b/internal/biz/validate_test.go
index befa264f..a1b82c1c 100644
--- a/internal/biz/validate_test.go
+++ b/internal/biz/validate_test.go
@@ -2,6 +2,7 @@ package biz
 
 import (
 	"github.com/stretchr/testify/assert"
+	"infini.sh/framework/core/util"
 	"testing"
 )
 
@@ -99,6 +100,18 @@ func Test_validateCluster(t *testing.T) {
 				},
 			}, "no cluster permission",
 		},
+		{"no cluster",
+			args{
+				req: ClusterRequest{
+					Cluster:   []string{"cluster1"},
+					Privilege: []string{"indices.get_mapping"},
+				},
+				userRole: RolePermission{
+					Cluster:          []string{},
+					ClusterPrivilege: []string{},
+				},
+			}, "no cluster permission",
+		},
 		{"no cluster api",
 			args{
 				req: ClusterRequest{
@@ -122,10 +135,162 @@ func Test_validateCluster(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-
 			got := ValidateCluster(tt.args.req, tt.args.userRole)
-
 			assert.EqualError(t, got, tt.want)
 		})
 	}
 }
+func TestStringInArray(t *testing.T) {
+	array := []string{"a", "b", "c", "d", "e"}
+	assert.Equal(t, true, util.StringInArray(array, "c"))
+	assert.Equal(t, false, util.StringInArray(array, "h"))
+}
+func TestFilterCluster(t *testing.T) {
+	RoleMap["test"] = Role{
+		Cluster: []struct {
+			Id   string `json:"id"`
+			Name string `json:"name"`
+		}{
+			{
+				Id:   "c97rd2les10hml00pgh0",
+				Name: "docker-cluster",
+			},
+		},
+		ClusterPrivilege: []string{"cat.*"},
+		Index: []struct {
+			Name      []string `json:"name"`
+			Privilege []string `json:"privilege"`
+		}{
+			{
+				Name:      []string{".infini_rbac-role"},
+				Privilege: []string{"indices.get_mapping"},
+			},
+			{
+				Name:      []string{".infini_rbac-user", ".infini_rbac-role"},
+				Privilege: []string{"cat.*"},
+			},
+		},
+	}
+	type args struct {
+		roles   []string
+		cluster []string
+	}
+	tests := []struct {
+		name string
+		args args
+		want []string
+	}{
+		{
+			name: "empty",
+			args: args{
+				roles: []string{"test"},
+				cluster: []string{
+					"cluser1", "cluster2",
+				},
+			},
+			want: []string{},
+		},
+		{
+			name: "one",
+			args: args{
+				roles: []string{"test"},
+				cluster: []string{
+					"cluser1", "cluster2", "c97rd2les10hml00pgh0",
+				},
+			},
+			want: []string{"c97rd2les10hml00pgh0"},
+		},
+		{
+			name: "only",
+			args: args{
+				roles: []string{"test"},
+				cluster: []string{
+					"c97rd2les10hml00pgh0",
+				},
+			},
+			want: []string{"c97rd2les10hml00pgh0"},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := FilterCluster(tt.args.roles, tt.args.cluster)
+			assert.Equal(t, got, tt.want)
+		})
+	}
+
+}
+func TestFilterIndex(t *testing.T) {
+	RoleMap["test"] = Role{
+		Cluster: []struct {
+			Id   string `json:"id"`
+			Name string `json:"name"`
+		}{
+			{
+				Id:   "c97rd2les10hml00pgh0",
+				Name: "docker-cluster",
+			},
+		},
+		ClusterPrivilege: []string{"cat.*"},
+		Index: []struct {
+			Name      []string `json:"name"`
+			Privilege []string `json:"privilege"`
+		}{
+			{
+				Name:      []string{".infini_rbac-role"},
+				Privilege: []string{"indices.get_mapping"},
+			},
+			{
+				Name:      []string{".infini_rbac-user", ".infini_rbac-role"},
+				Privilege: []string{"cat.*"},
+			},
+		},
+	}
+
+	type args struct {
+		roles []string
+		index []string
+	}
+	tests := []struct {
+		name string
+		args args
+		want []string
+	}{
+		{
+			name: "empty",
+			args: args{
+				roles: []string{"test"},
+				index: []string{
+					"index1", "index2",
+				},
+			},
+			want: []string{},
+		},
+		{
+			name: "one",
+			args: args{
+				roles: []string{"test"},
+				index: []string{
+					"index1", "index2", ".infini_rbac-user",
+				},
+			},
+			want: []string{".infini_rbac-user"},
+		},
+		{
+			name: "only",
+			args: args{
+				roles: []string{"test"},
+				index: []string{
+					".infini_rbac-user",
+				},
+			},
+			want: []string{".infini_rbac-user"},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := FilterIndex(tt.args.roles, tt.args.index)
+			assert.Equal(t, got, tt.want)
+		})
+	}
+
+}
diff --git a/internal/middleware/user.go b/internal/middleware/user.go
index 9b41edf8..3f13b419 100644
--- a/internal/middleware/user.go
+++ b/internal/middleware/user.go
@@ -26,7 +26,6 @@ func PermissionRequired(h httprouter.Handle, permissions ...string) httprouter.H
 		if err != nil {
 
 			w = handleError(w, http.StatusUnauthorized, err)
-
 			return
 		}
 		err = biz.ValidatePermission(claims, permissions)
diff --git a/main.go b/main.go
index 2ae5dca2..ce11dd6f 100644
--- a/main.go
+++ b/main.go
@@ -138,8 +138,8 @@ func main() {
 			if err != nil {
 				log.Errorf("init alerting task error: %v", err)
 			}
-			rbacApi.Init()
 		}()
+		go rbacApi.Init()
 
 	}, nil) {
 		app.Run()
diff --git a/plugin/api/init.go b/plugin/api/init.go
index b4b2f4ec..5de226e1 100644
--- a/plugin/api/init.go
+++ b/plugin/api/init.go
@@ -27,7 +27,7 @@ func Init(cfg *config.AppConfig) {
 
 	api.HandleAPIMethod(api.POST, path.Join(esPrefix, "doc/:index/_search"), m.IndexRequired(handler.HandleSearchDocumentAction, "doc.search"))
 	api.HandleAPIMethod(api.POST, path.Join(esPrefix, "doc/:index"), m.IndexRequired(handler.HandleAddDocumentAction, "doc.create"))
-	api.HandleAPIMethod(api.PUT, path.Join(esPrefix, "doc/:index/:docId"), m.IndexRequired(handler.HandleUpdateDocumentAction, "doc.create"))
+	api.HandleAPIMethod(api.PUT, path.Join(esPrefix, "doc/:index/:docId"), m.IndexRequired(handler.HandleUpdateDocumentAction, "doc.update"))
 	api.HandleAPIMethod(api.DELETE, path.Join(esPrefix, "doc/:index/:docId"), m.ClusterRequired(handler.HandleDeleteDocumentAction, "doc.delete"))
 	api.HandleAPIMethod(api.GET, path.Join(esPrefix, "doc/_validate"), handler.ValidateDocIDAction)
 
diff --git a/plugin/api/rbac/api.go b/plugin/api/rbac/api.go
index 49993a27..1fecaa7d 100644
--- a/plugin/api/rbac/api.go
+++ b/plugin/api/rbac/api.go
@@ -2,6 +2,7 @@ package rbac
 
 import (
 	"encoding/json"
+	"github.com/mitchellh/mapstructure"
 	"infini.sh/console/internal/biz"
 	"infini.sh/console/internal/biz/enum"
 	m "infini.sh/console/internal/middleware"
@@ -11,7 +12,6 @@ import (
 	"os"
 	"path"
 	log "src/github.com/cihub/seelog"
-	"src/github.com/mitchellh/mapstructure"
 )
 
 type Rbac struct {
@@ -73,30 +73,8 @@ func loadRolePermission() {
 
 	biz.RoleMap["admin"] = biz.Role{
 		Platform: enum.AdminPrivilege,
-		Cluster: []struct {
-			Id   string `json:"id"`
-			Name string `json:"name"`
-		}{
-			{
-				Id:   "c97rd2les10hml00pgh0",
-				Name: "docker-cluster",
-			},
-		},
-		ClusterPrivilege: []string{"cat.*"},
-		Index: []struct {
-			Name      []string `json:"name"`
-			Privilege []string `json:"privilege"`
-		}{
-			{
-				Name:      []string{".infini_rbac-role"},
-				Privilege: []string{"indices.get_mapping"},
-			},
-			{
-				Name:      []string{".infini_rbac-user", ".infini_rbac-role"},
-				Privilege: []string{"cat.*"},
-			},
-		},
 	}
+
 	res, err := biz.SearchRole("", 0, 1000)
 	if err != nil {
 		log.Error(err)
diff --git a/plugin/api/rbac/role.go b/plugin/api/rbac/role.go
index 5de2fcfb..403f8f3b 100644
--- a/plugin/api/rbac/role.go
+++ b/plugin/api/rbac/role.go
@@ -56,17 +56,17 @@ func (h Rbac) SearchRole(w http.ResponseWriter, r *http.Request, ps httprouter.P
 	res, err := biz.SearchRole(keyword, from, size)
 	if err != nil {
 		log.Error(err)
-
 		h.ErrorInternalServer(w, err.Error())
 		return
 	}
 	response := elastic.SearchResponse{}
 	util.FromJSONBytes(res.Raw, &response)
 
-	list := response.Hits.Hits
+	hits := response.Hits.Hits
+	list := make([]elastic.IndexDocument, 0)
 	total := response.GetTotal()
 	var index string
-	for _, v := range list {
+	for _, v := range hits {
 		index = v.Index
 	}
 	for k, v := range enum.BuildRoles {
@@ -78,7 +78,7 @@ func (h Rbac) SearchRole(w http.ResponseWriter, r *http.Request, ps httprouter.P
 		})
 		total++
 	}
-
+	list = append(list, hits...)
 	response.Hits.Hits = list
 	response.Hits.Total = total