diff --git a/apps/assets/models/asset.py b/apps/assets/models/asset.py
index 39ea8420f..6b5e716e0 100644
--- a/apps/assets/models/asset.py
+++ b/apps/assets/models/asset.py
@@ -41,11 +41,10 @@ def default_node():
 
 
 class AssetManager(OrgManager):
-    # def get_queryset(self):
-    #     return super().get_queryset().annotate(
-    #         platform_base=models.F('platform__base')
-    #     )
-    pass
+    def get_queryset(self):
+        return super().get_queryset().annotate(
+            platform_base=models.F('platform__base')
+        )
 
 
 class AssetQuerySet(models.QuerySet):
diff --git a/apps/authentication/backends/api.py b/apps/authentication/backends/api.py
index 599351d0a..b61798695 100644
--- a/apps/authentication/backends/api.py
+++ b/apps/authentication/backends/api.py
@@ -106,6 +106,9 @@ class AccessKeyAuthentication(authentication.BaseAuthentication):
             raise exceptions.AuthenticationFailed(_('User disabled.'))
         return access_key.user, None
 
+    def authenticate_header(self, request):
+        return 'Sign access_key_id:Signature'
+
 
 class AccessTokenAuthentication(authentication.BaseAuthentication):
     keyword = 'Bearer'
@@ -143,6 +146,9 @@ class AccessTokenAuthentication(authentication.BaseAuthentication):
             raise exceptions.AuthenticationFailed(msg)
         return user, None
 
+    def authenticate_header(self, request):
+        return self.keyword
+
 
 class PrivateTokenAuthentication(authentication.TokenAuthentication):
     model = PrivateToken
diff --git a/apps/common/drf/filters.py b/apps/common/drf/filters.py
index c11a7864d..c5ee0b309 100644
--- a/apps/common/drf/filters.py
+++ b/apps/common/drf/filters.py
@@ -9,7 +9,7 @@ import logging
 
 from common import const
 
-__all__ = ["DatetimeRangeFilter", "IDSpmFilter", "CustomFilter"]
+__all__ = ["DatetimeRangeFilter", "IDSpmFilter", 'IDInFilter', "CustomFilter"]
 
 
 class DatetimeRangeFilter(filters.BaseFilterBackend):
@@ -68,6 +68,25 @@ class IDSpmFilter(filters.BaseFilterBackend):
         return queryset
 
 
+class IDInFilter(filters.BaseFilterBackend):
+    def get_schema_fields(self, view):
+        return [
+            coreapi.Field(
+                name='ids', location='query', required=False,
+                type='string', example='/api/v1/users/users?ids=1,2,3',
+                description='Filter by id set'
+            )
+        ]
+
+    def filter_queryset(self, request, queryset, view):
+        ids = request.query_params.get('ids')
+        if not ids:
+            return queryset
+        id_list = [i.strip() for i in ids.split(',')]
+        queryset = queryset.filter(id__in=id_list)
+        return queryset
+
+
 class CustomFilter(filters.BaseFilterBackend):
 
     def get_schema_fields(self, view):
diff --git a/apps/common/mixins/api.py b/apps/common/mixins/api.py
index 613d66eba..079e9f038 100644
--- a/apps/common/mixins/api.py
+++ b/apps/common/mixins/api.py
@@ -9,7 +9,7 @@ from django.http import JsonResponse
 from rest_framework.response import Response
 from rest_framework.settings import api_settings
 
-from common.drf.filters import IDSpmFilter, CustomFilter
+from common.drf.filters import IDSpmFilter, CustomFilter, IDInFilter
 from ..utils import lazyproperty
 
 __all__ = [
@@ -49,7 +49,7 @@ class SerializerMixin:
 
 
 class ExtraFilterFieldsMixin:
-    default_added_filters = [CustomFilter, IDSpmFilter]
+    default_added_filters = [CustomFilter, IDSpmFilter, IDInFilter]
     filter_backends = api_settings.DEFAULT_FILTER_BACKENDS
     extra_filter_fields = []
     extra_filter_backends = []
diff --git a/apps/orgs/middleware.py b/apps/orgs/middleware.py
index 3e491d3d2..efbee2dde 100644
--- a/apps/orgs/middleware.py
+++ b/apps/orgs/middleware.py
@@ -34,8 +34,7 @@ class OrgMiddleware:
     def __call__(self, request):
         self.set_permed_org_if_need(request)
         org = get_org_from_request(request)
-        if org is not None:
-            request.current_org = org
-            set_current_org(org)
+        request.current_org = org
+        set_current_org(org)
         response = self.get_response(request)
         return response
diff --git a/apps/orgs/utils.py b/apps/orgs/utils.py
index d5ea4ca30..6870942da 100644
--- a/apps/orgs/utils.py
+++ b/apps/orgs/utils.py
@@ -24,7 +24,7 @@ def get_org_from_request(request):
         oid = Organization.DEFAULT_ID
     elif oid.lower() == "root":
         oid = Organization.ROOT_ID
-    org = Organization.get_instance(oid)
+    org = Organization.get_instance(oid, True)
     return org
 
 
diff --git a/apps/settings/models.py b/apps/settings/models.py
index 75b56bb54..30732a00c 100644
--- a/apps/settings/models.py
+++ b/apps/settings/models.py
@@ -10,7 +10,8 @@ from common.utils import signer
 
 class SettingQuerySet(models.QuerySet):
     def __getattr__(self, item):
-        instances = self.filter(name=item)
+        queryset = list(self)
+        instances = [i for i in queryset if i.name == item]
         if len(instances) == 1:
             return instances[0]
         else:
diff --git a/apps/users/serializers/group.py b/apps/users/serializers/group.py
index 67b21668c..078ceb8a8 100644
--- a/apps/users/serializers/group.py
+++ b/apps/users/serializers/group.py
@@ -18,7 +18,7 @@ __all__ = [
 class UserGroupSerializer(BulkOrgResourceModelSerializer):
     users = serializers.PrimaryKeyRelatedField(
         required=False, many=True, queryset=User.objects, label=_('User'),
-        write_only=True
+        # write_only=True, group can return many to many on detail
     )
 
     class Meta:
@@ -38,7 +38,7 @@ class UserGroupSerializer(BulkOrgResourceModelSerializer):
 
     def set_fields_queryset(self):
         users_field = self.fields['users']
-        users_field.child_relation.queryset = utils.get_current_org_members()
+        users_field.child_relation.queryset = utils.get_current_org_members(exclude=('Auditor',))
 
     def validate_users(self, users):
         for user in users: