diff --git a/apps/assets/api/system_user_relation.py b/apps/assets/api/system_user_relation.py
index 90a12eaec..66b9dc6ee 100644
--- a/apps/assets/api/system_user_relation.py
+++ b/apps/assets/api/system_user_relation.py
@@ -19,9 +19,10 @@ __all__ = [
 class RelationMixin:
     def get_queryset(self):
         queryset = self.model.objects.all()
-        org_id = current_org.org_id()
-        if org_id is not None:
+        if not current_org.is_root():
+            org_id = current_org.org_id()
             queryset = queryset.filter(systemuser__org_id=org_id)
+
         queryset = queryset.annotate(systemuser_display=Concat(
             F('systemuser__name'), Value('('), F('systemuser__username'),
             Value(')')
diff --git a/apps/assets/backends/db.py b/apps/assets/backends/db.py
index bf31e04c8..386f0ee29 100644
--- a/apps/assets/backends/db.py
+++ b/apps/assets/backends/db.py
@@ -165,7 +165,7 @@ class SystemUserBackend(DBBackend):
         kwargs = self.get_annotate()
         filters = self.get_filter()
         qs = self.model.objects.all().annotate(**kwargs)
-        if current_org.org_id() is not None:
+        if not current_org.is_root():
             filters['org_id'] = current_org.org_id()
         qs = qs.filter(**filters)
         qs = self.qs_to_values(qs)
diff --git a/apps/audits/api.py b/apps/audits/api.py
index f36724011..83caf0db9 100644
--- a/apps/audits/api.py
+++ b/apps/audits/api.py
@@ -100,6 +100,8 @@ class CommandExecutionViewSet(ListModelMixin, OrgGenericViewSet):
 
     def get_queryset(self):
         queryset = super().get_queryset()
+        if current_org.is_root():
+            return queryset
         queryset = queryset.filter(run_as__org_id=current_org.org_id())
         return queryset
 
diff --git a/apps/orgs/mixins/api.py b/apps/orgs/mixins/api.py
index 8717d86cd..404038202 100644
--- a/apps/orgs/mixins/api.py
+++ b/apps/orgs/mixins/api.py
@@ -43,17 +43,7 @@ class OrgQuerySetMixin:
 
 
 class OrgViewSetMixin(OrgQuerySetMixin):
-    root_org_readonly_msg = _("Root organization only allow view and delete")
-
-    def update(self, request, *args, **kwargs):
-        if current_org.is_root():
-            raise MethodNotAllowed('put', self.root_org_readonly_msg)
-        return super().update(request, *args, **kwargs)
-
-    def create(self, request, *args, **kwargs):
-        if current_org.is_root():
-            raise MethodNotAllowed('post', self.root_org_readonly_msg)
-        return super().update(request, *args, **kwargs)
+    pass
 
 
 class OrgModelViewSet(CommonApiMixin, OrgViewSetMixin, ModelViewSet):
@@ -80,7 +70,7 @@ class OrgBulkModelViewSet(CommonApiMixin, OrgViewSetMixin, BulkModelViewSet):
 class OrgRelationMixin(RelationMixin):
     def get_queryset(self):
         queryset = super().get_queryset()
-        org_id = current_org.org_id()
-        if org_id is not None:
+        if not current_org.is_root():
+            org_id = current_org.org_id()
             queryset = queryset.filter(**{f'{self.from_field}__org_id': org_id})
         return queryset
diff --git a/apps/perms/signals_handler/refresh_perms.py b/apps/perms/signals_handler/refresh_perms.py
index 1cd0332e7..e180d6116 100644
--- a/apps/perms/signals_handler/refresh_perms.py
+++ b/apps/perms/signals_handler/refresh_perms.py
@@ -3,7 +3,7 @@
 from django.db.models.signals import m2m_changed, pre_delete, pre_save, post_save
 from django.dispatch import receiver
 
-from users.models import User
+from users.models import User, UserGroup
 from assets.models import Asset
 from orgs.utils import current_org, tmp_to_org
 from common.utils import get_logger
@@ -23,16 +23,20 @@ def on_user_groups_change(sender, instance, action, reverse, pk_set, **kwargs):
     if reverse:
         group_ids = [instance.id]
         user_ids = pk_set
+        org_id = instance.org_id
     else:
         group_ids = pk_set
         user_ids = [instance.id]
 
+        group = UserGroup.objects.get(id=group_ids[0])
+        org_id = group.org_id
+
     exists = AssetPermission.user_groups.through.objects.filter(usergroup_id__in=group_ids).exists()
     if not exists:
         return
-    with tmp_to_org(instance.org):
-        org_ids = [current_org.id]
-        UserGrantedTreeRefreshController.add_need_refresh_orgs_for_users(org_ids, user_ids)
+
+    org_ids = [org_id]
+    UserGrantedTreeRefreshController.add_need_refresh_orgs_for_users(org_ids, user_ids)
 
 
 @receiver([pre_delete], sender=AssetPermission)
diff --git a/apps/static/img/login_image.png b/apps/static/img/login_image.png
index 60c851e78..0273e3669 100644
Binary files a/apps/static/img/login_image.png and b/apps/static/img/login_image.png differ
diff --git a/apps/terminal/backends/__init__.py b/apps/terminal/backends/__init__.py
index 4e08d052e..4b3dbfa5f 100644
--- a/apps/terminal/backends/__init__.py
+++ b/apps/terminal/backends/__init__.py
@@ -2,9 +2,12 @@ from importlib import import_module
 from django.conf import settings
 from django.utils.functional import LazyObject
 
+from common.utils import get_logger
 from .command.serializers import SessionCommandSerializer
 
 
+logger = get_logger(__file__)
+
 TYPE_ENGINE_MAPPING = {
     'elasticsearch': 'terminal.backends.command.es',
     'es': 'terminal.backends.command.es',
@@ -29,6 +32,10 @@ def get_terminal_command_storages():
     from ..models import CommandStorage
     storage_list = {}
     for s in CommandStorage.objects.all():
+        if not s.is_valid():
+            logger.warn(f'Command storage invalid: storage={s}')
+            continue
+
         if s.type_server:
             storage = get_command_storage()
         else: