diff --git a/apps/rbac/api/role.py b/apps/rbac/api/role.py
index edb3ec07e..e679edf67 100644
--- a/apps/rbac/api/role.py
+++ b/apps/rbac/api/role.py
@@ -30,6 +30,9 @@ class RoleViewSet(JMSModelViewSet):
         if instance.builtin:
             error = _("Internal role, can't be destroy")
             raise PermissionDenied(error)
+        if instance.users.count() >= 1:
+            error = _("The role has been bound to users, can't be destroy")
+            raise PermissionDenied(error)
         return super().perform_destroy(instance)
 
     def perform_update(self, serializer):
diff --git a/apps/rbac/api/rolebinding.py b/apps/rbac/api/rolebinding.py
index 3e9165323..677ef30bf 100644
--- a/apps/rbac/api/rolebinding.py
+++ b/apps/rbac/api/rolebinding.py
@@ -44,11 +44,8 @@ class SystemRoleBindingViewSet(RoleBindingViewSet):
         role_qs = self.model.objects.filter(user=user)
         if role_qs.count() == 1:
             msg = _('{} at least one system role').format(user)
-            raise JMSException(
-                code='system_role_delete_error',
-                detail=msg
-            )
-        super().perform_destroy(instance)
+            raise JMSException(code='system_role_delete_error', detail=msg)
+        return super().perform_destroy(instance)
 
 
 class OrgRoleBindingViewSet(RoleBindingViewSet):
diff --git a/apps/rbac/urls/api_urls.py b/apps/rbac/urls/api_urls.py
index a587354aa..5dc080930 100644
--- a/apps/rbac/urls/api_urls.py
+++ b/apps/rbac/urls/api_urls.py
@@ -9,11 +9,14 @@ app_name = 'rbac'
 
 router = BulkRouter()
 router.register(r'roles', api.RoleViewSet, 'role')
-router.register(r'system-roles', api.SystemRoleViewSet, 'system-role')
-router.register(r'org-roles', api.OrgRoleViewSet, 'org-role')
 router.register(r'role-bindings', api.RoleBindingViewSet, 'role-binding')
+
+router.register(r'system-roles', api.SystemRoleViewSet, 'system-role')
 router.register(r'system-role-bindings', api.SystemRoleBindingViewSet, 'system-role-binding')
+
+router.register(r'org-roles', api.OrgRoleViewSet, 'org-role')
 router.register(r'org-role-bindings', api.OrgRoleBindingViewSet, 'org-role-binding')
+
 router.register(r'permissions', api.PermissionViewSet, 'permission')
 
 system_role_router = routers.NestedDefaultRouter(router, r'system-roles', lookup='system_role')