diff --git a/src/main/java/run/halo/app/core/extension/endpoint/UserEndpoint.java b/src/main/java/run/halo/app/core/extension/endpoint/UserEndpoint.java
index cc357691d..b1ddaedb0 100644
--- a/src/main/java/run/halo/app/core/extension/endpoint/UserEndpoint.java
+++ b/src/main/java/run/halo/app/core/extension/endpoint/UserEndpoint.java
@@ -38,6 +38,7 @@ import run.halo.app.infra.utils.JsonUtils;
 @Component
 public class UserEndpoint implements CustomEndpoint {
 
+    private static final String SELF_USER = "-";
     private final ExtensionClient client;
     private final UserService userService;
 
@@ -94,7 +95,8 @@ public class UserEndpoint implements CustomEndpoint {
     Mono<ServerResponse> changePassword(ServerRequest request) {
         final var nameInPath = request.pathVariable("name");
         return ReactiveSecurityContextHolder.getContext()
-            .map(ctx -> "-".equals(nameInPath) ? ctx.getAuthentication().getName() : nameInPath)
+            .map(ctx -> SELF_USER.equals(nameInPath) ? ctx.getAuthentication().getName()
+                : nameInPath)
             .flatMap(username -> request.bodyToMono(ChangePasswordRequest.class)
                 .switchIfEmpty(Mono.defer(() ->
                     Mono.error(new ServerWebInputException("Request body is empty"))))
@@ -182,7 +184,9 @@ public class UserEndpoint implements CustomEndpoint {
     @NonNull
     private Mono<ServerResponse> getUserPermission(ServerRequest request) {
         String name = request.pathVariable("name");
-        return userService.listRoles(name)
+        return ReactiveSecurityContextHolder.getContext()
+            .map(ctx -> SELF_USER.equals(name) ? ctx.getAuthentication().getName() : name)
+            .flatMapMany(userService::listRoles)
             .reduce(new LinkedHashSet<Role>(), (list, role) -> {
                 list.add(role);
                 return list;
diff --git a/src/main/java/run/halo/app/security/authorization/DefaultRuleResolver.java b/src/main/java/run/halo/app/security/authorization/DefaultRuleResolver.java
index 3b7d4a625..35680c1b9 100644
--- a/src/main/java/run/halo/app/security/authorization/DefaultRuleResolver.java
+++ b/src/main/java/run/halo/app/security/authorization/DefaultRuleResolver.java
@@ -4,6 +4,7 @@ import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.core.type.TypeReference;
 import java.util.ArrayList;
 import java.util.Collections;
+import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
 import lombok.Data;
@@ -23,7 +24,7 @@ import run.halo.app.infra.utils.JsonUtils;
  */
 @Data
 public class DefaultRuleResolver implements AuthorizationRuleResolver {
-
+    private static final String AUTHENTICATED_ROLE = "authenticated";
     private RoleService roleService;
 
     private RoleBindingService roleBindingService = new DefaultRoleBindingService();
@@ -49,7 +50,10 @@ public class DefaultRuleResolver implements AuthorizationRuleResolver {
 
     @Override
     public void visitRulesFor(UserDetails user, RuleAccumulator visitor) {
-        Set<String> roleNames = roleBindingService.listBoundRoleNames(user.getAuthorities());
+        Set<String> roleNamesImmutable =
+            roleBindingService.listBoundRoleNames(user.getAuthorities());
+        Set<String> roleNames = new HashSet<>(roleNamesImmutable);
+        roleNames.add(AUTHENTICATED_ROLE);
 
         List<Role.PolicyRule> rules = Collections.emptyList();
         for (String roleName : roleNames) {
diff --git a/src/main/resources/extensions/role-template-anonymous.yaml b/src/main/resources/extensions/role-template-anonymous.yaml
new file mode 100644
index 000000000..4539f9cc7
--- /dev/null
+++ b/src/main/resources/extensions/role-template-anonymous.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: anonymous
+  labels:
+    halo.run/role-template: "true"
+    halo.run/hidden: "true"
+rules: [ ]
diff --git a/src/main/resources/extensions/role-template-authenticated.yaml b/src/main/resources/extensions/role-template-authenticated.yaml
new file mode 100644
index 000000000..09b707162
--- /dev/null
+++ b/src/main/resources/extensions/role-template-authenticated.yaml
@@ -0,0 +1,51 @@
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: authenticated
+  labels:
+    halo.run/role-template: "true"
+    halo.run/hidden: "true"
+  annotations:
+    rbac.authorization.halo.run/dependencies: |
+      [ "role-template-own-user-info", "role-template-own-permissions", "role-template-change-own-password",
+      "role-template-manage-configmaps" ]
+rules: [ ]
+---
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: role-template-own-user-info
+  labels:
+    halo.run/role-template: "true"
+    halo.run/hidden: "true"
+rules:
+  - apiGroups: [ "api.halo.run" ]
+    resources: [ "users" ]
+    resourceNames: [ "-" ]
+    verbs: [ "list", "get" ]
+---
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: role-template-own-permissions
+  labels:
+    halo.run/role-template: "true"
+    halo.run/hidden: "true"
+rules:
+  - apiGroups: [ "api.halo.run" ]
+    resources: [ "users/permissions" ]
+    resourceNames: [ "-" ]
+    verbs: [ "list", "get" ]
+---
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: role-template-change-own-password
+  labels:
+    halo.run/role-template: "true"
+    halo.run/hidden: "true"
+rules:
+  - apiGroups: [ "api.halo.run" ]
+    resources: [ "users/password" ]
+    resourceNames: [ "-" ]
+    verbs: [ "update" ]
diff --git a/src/main/resources/extensions/role-template-configmap.yaml b/src/main/resources/extensions/role-template-configmap.yaml
new file mode 100644
index 000000000..889f40b9a
--- /dev/null
+++ b/src/main/resources/extensions/role-template-configmap.yaml
@@ -0,0 +1,32 @@
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: role-template-manage-configmaps
+  labels:
+    halo.run/role-template: "true"
+  annotations:
+    rbac.authorization.halo.run/dependencies: "[ \"role-template-view-configmaps\" ]"
+    rbac.authorization.halo.run/module: "ConfigMaps Management"
+    rbac.authorization.halo.run/display-name: "ConfigMap Manage"
+    rbac.authorization.halo.run/ui-permissions: |
+      ["system:configmaps:manage"]
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "configmaps" ]
+    verbs: [ "create", "patch", "update", "delete", "deletecollection" ]
+---
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: role-template-view-configmaps
+  labels:
+    halo.run/role-template: "true"
+  annotations:
+    rbac.authorization.halo.run/module: "ConfigMaps Management"
+    rbac.authorization.halo.run/display-name: "ConfigMap View"
+    rbac.authorization.halo.run/ui-permissions: |
+      ["system:configmaps:view"]
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "configmaps" ]
+    verbs: [ "get", "list" ]
diff --git a/src/main/resources/extensions/role-template-permissions.yaml b/src/main/resources/extensions/role-template-permissions.yaml
new file mode 100644
index 000000000..0e93d83ba
--- /dev/null
+++ b/src/main/resources/extensions/role-template-permissions.yaml
@@ -0,0 +1,32 @@
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: role-template-manage-permissions
+  labels:
+    halo.run/role-template: "true"
+  annotations:
+    rbac.authorization.halo.run/dependencies: "[ \"role-template-view-permissions\" ]"
+    rbac.authorization.halo.run/module: "Permissions Management"
+    rbac.authorization.halo.run/display-name: "Permissions Manage"
+    rbac.authorization.halo.run/ui-permissions: |
+      ["system:permissions:manage"]
+rules:
+  - apiGroups: [ "api.halo.run" ]
+    resources: [ "users/permissions" ]
+    verbs: [ "create", "patch", "update", "delete", "deletecollection" ]
+---
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: role-template-view-permissions
+  labels:
+    halo.run/role-template: "true"
+  annotations:
+    rbac.authorization.halo.run/module: "Permissions Management"
+    rbac.authorization.halo.run/display-name: "Permissions View"
+    rbac.authorization.halo.run/ui-permissions: |
+      ["system:permissions:view"]
+rules:
+  - apiGroups: [ "api.halo.run" ]
+    resources: [ "users/permissions" ]
+    verbs: [ "get", "list" ]
diff --git a/src/main/resources/extensions/role-template-plugin.yaml b/src/main/resources/extensions/role-template-plugin.yaml
new file mode 100644
index 000000000..8c851227b
--- /dev/null
+++ b/src/main/resources/extensions/role-template-plugin.yaml
@@ -0,0 +1,34 @@
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: role-template-manage-plugins
+  labels:
+    halo.run/role-template: "true"
+  annotations:
+    rbac.authorization.halo.run/dependencies: |
+      [ "role-template-view-plugins", "role-template-manage-configmaps" ]
+    rbac.authorization.halo.run/module: "Plugins Management"
+    rbac.authorization.halo.run/display-name: "Plugin Manage"
+    rbac.authorization.halo.run/ui-permissions: |
+      ["system:plugins:manage"]
+rules:
+  - apiGroups: [ "plugin.halo.run" ]
+    resources: [ "plugins" ]
+    verbs: [ "create", "patch", "update", "delete", "deletecollection" ]
+---
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: role-template-view-plugins
+  labels:
+    halo.run/role-template: "true"
+  annotations:
+    rbac.authorization.halo.run/dependencies: "[ \"role-template-view-settings\" ]"
+    rbac.authorization.halo.run/module: "Plugins Management"
+    rbac.authorization.halo.run/display-name: "Plugin View"
+    rbac.authorization.halo.run/ui-permissions: |
+      ["system:plugins:view"]
+rules:
+  - apiGroups: [ "plugin.halo.run" ]
+    resources: [ "plugins" ]
+    verbs: [ "get", "list" ]
diff --git a/src/main/resources/extensions/role-template-role.yaml b/src/main/resources/extensions/role-template-role.yaml
new file mode 100644
index 000000000..c05dad219
--- /dev/null
+++ b/src/main/resources/extensions/role-template-role.yaml
@@ -0,0 +1,33 @@
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: role-template-manage-roles
+  labels:
+    halo.run/role-template: "true"
+  annotations:
+    rbac.authorization.halo.run/dependencies: |
+      [ "role-template-view-roles", "role-template-manage-permissions" ]
+    rbac.authorization.halo.run/module: "Roles Management"
+    rbac.authorization.halo.run/display-name: "Role Manage"
+    rbac.authorization.halo.run/ui-permissions: |
+      ["system:roles:manage"]
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "roles" ]
+    verbs: [ "create", "patch", "update", "delete", "deletecollection" ]
+---
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: role-template-view-roles
+  labels:
+    halo.run/role-template: "true"
+  annotations:
+    rbac.authorization.halo.run/module: "Roles Management"
+    rbac.authorization.halo.run/display-name: "Role View"
+    rbac.authorization.halo.run/ui-permissions: |
+      ["system:roles:view"]
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "roles" ]
+    verbs: [ "get", "list" ]
diff --git a/src/main/resources/extensions/role-template-setting.yaml b/src/main/resources/extensions/role-template-setting.yaml
new file mode 100644
index 000000000..444b3cbd6
--- /dev/null
+++ b/src/main/resources/extensions/role-template-setting.yaml
@@ -0,0 +1,32 @@
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: role-template-manage-settings
+  labels:
+    halo.run/role-template: "true"
+  annotations:
+    rbac.authorization.halo.run/dependencies: "[ \"role-template-view-settings\" ]"
+    rbac.authorization.halo.run/module: "Settings Management"
+    rbac.authorization.halo.run/display-name: "Setting Manage"
+    rbac.authorization.halo.run/ui-permissions: |
+      ["system:settings:manage"]
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "settings" ]
+    verbs: [ "create", "patch", "update", "delete", "deletecollection" ]
+---
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: role-template-view-settings
+  labels:
+    halo.run/role-template: "true"
+  annotations:
+    rbac.authorization.halo.run/module: "Settings Management"
+    rbac.authorization.halo.run/display-name: "Setting View"
+    rbac.authorization.halo.run/ui-permissions: |
+      ["system:settings:view"]
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "settings" ]
+    verbs: [ "get", "list" ]
diff --git a/src/main/resources/extensions/role-template-user.yaml b/src/main/resources/extensions/role-template-user.yaml
new file mode 100644
index 000000000..8c7a1edd5
--- /dev/null
+++ b/src/main/resources/extensions/role-template-user.yaml
@@ -0,0 +1,48 @@
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: role-template-manage-users
+  labels:
+    halo.run/role-template: "true"
+  annotations:
+    rbac.authorization.halo.run/dependencies: |
+      [ "role-template-view-users", "role-template-change-password" ]
+    rbac.authorization.halo.run/module: "Users Management"
+    rbac.authorization.halo.run/display-name: "User manage"
+    rbac.authorization.halo.run/ui-permissions: |
+      ["system:users:manage"]
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "users" ]
+    verbs: [ "create", "patch", "update", "delete", "deletecollection" ]
+---
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: role-template-view-users
+  labels:
+    halo.run/role-template: "true"
+  annotations:
+    rbac.authorization.halo.run/module: "Users Management"
+    rbac.authorization.halo.run/display-name: "User View"
+    rbac.authorization.halo.run/ui-permissions: |
+      ["system:users:view"]
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "users" ]
+    verbs: [ "get", "list" ]
+---
+apiVersion: v1alpha1
+kind: "Role"
+metadata:
+  name: role-template-change-password
+  labels:
+    halo.run/role-template: "true"
+    halo.run/hidden: "true"
+  annotations:
+    rbac.authorization.halo.run/module: "Users Management"
+    rbac.authorization.halo.run/display-name: "User Password Change"
+rules:
+  - apiGroups: [ "api.halo.run" ]
+    resources: [ "users/password" ]
+    verbs: [ "update" ]