diff --git a/spug_api/apps/account/models.py b/spug_api/apps/account/models.py
index ea7615b..047a0f9 100644
--- a/spug_api/apps/account/models.py
+++ b/spug_api/apps/account/models.py
@@ -18,8 +18,8 @@ class User(models.Model, ModelMixin):
     token_expired = models.IntegerField(null=True)
     last_login = models.CharField(max_length=20)
     last_ip = models.CharField(max_length=50)
-    role = models.ForeignKey('Role', on_delete=models.PROTECT, null=True)
     wx_token = models.CharField(max_length=50, null=True)
+    roles = models.ManyToManyField('Role', db_table='user_role_rel')
 
     created_at = models.CharField(max_length=20, default=human_datetime)
     created_by = models.ForeignKey('User', models.PROTECT, related_name='+', null=True)
@@ -35,26 +35,32 @@ class User(models.Model, ModelMixin):
 
     @property
     def page_perms(self):
-        if self.role and self.role.page_perms:
-            data = []
-            perms = json.loads(self.role.page_perms)
-            for m, v in perms.items():
-                for p, d in v.items():
-                    data.extend(f'{m}.{p}.{x}' for x in d)
-            return data
-        else:
-            return []
+        data = set()
+        for item in self.roles.all():
+            if item.page_perms:
+                perms = json.loads(item.page_perms)
+                for m, v in perms.items():
+                    for p, d in v.items():
+                        data.update(f'{m}.{p}.{x}' for x in d)
+        return list(data)
 
     @property
     def deploy_perms(self):
-        perms = json.loads(self.role.deploy_perms) if self.role and self.role.deploy_perms else {}
-        perms.setdefault('apps', [])
-        perms.setdefault('envs', [])
-        return perms
+        data = {'apps': set(), 'envs': set()}
+        for item in self.roles.all():
+            if item.deploy_perms:
+                perms = json.loads(item.deploy_perms)
+                data['apps'].update(perms.get('apps', []))
+                data['envs'].update(perms.get('envs', []))
+        return data
 
     @property
     def group_perms(self):
-        return json.loads(self.role.group_perms) if self.role and self.role.group_perms else []
+        data = set()
+        for item in self.roles.all():
+            if item.group_perms:
+                data.update(json.loads(item.group_perms))
+        return list(data)
 
     def has_perms(self, codes):
         # return self.is_supper or self.role in codes
diff --git a/spug_api/apps/account/views.py b/spug_api/apps/account/views.py
index a8cdfc9..3eebac7 100644
--- a/spug_api/apps/account/views.py
+++ b/spug_api/apps/account/views.py
@@ -3,7 +3,6 @@
 # Released under the AGPL-3.0 License.
 from django.core.cache import cache
 from django.views.generic import View
-from django.db.models import F
 from libs import JsonParser, Argument, human_datetime, json_response
 from libs.utils import get_request_real_ip, generate_random_str
 from libs.spug import send_login_wx_code
@@ -19,49 +18,54 @@ import json
 class UserView(View):
     def get(self, request):
         users = []
-        for u in User.objects.filter(deleted_by_id__isnull=True).annotate(role_name=F('role__name')):
+        for u in User.objects.filter(deleted_by_id__isnull=True):
             tmp = u.to_dict(excludes=('access_token', 'password_hash'))
-            tmp['role_name'] = u.role_name
+            tmp['role_ids'] = [x.id for x in u.roles.all()]
+            tmp['password'] = '******'
             users.append(tmp)
         return json_response(users)
 
     def post(self, request):
         form, error = JsonParser(
+            Argument('id', type=int, required=False),
             Argument('username', help='请输入登录名'),
             Argument('password', help='请输入密码'),
             Argument('nickname', help='请输入姓名'),
-            Argument('role_id', type=int, help='请选择角色'),
+            Argument('role_ids', type=list, default=[]),
             Argument('wx_token', required=False),
         ).parse(request.body)
         if error is None:
-            if User.objects.filter(username=form.username, deleted_by_id__isnull=True).exists():
+            user = User.objects.filter(username=form.username, deleted_by_id__isnull=True).first()
+            if user and (not form.id or form.id != user.id):
                 return json_response(error=f'已存在登录名为【{form.username}】的用户')
-            form.password_hash = User.make_password(form.pop('password'))
-            form.created_by = request.user
-            User.objects.create(**form)
+
+            role_ids, password = form.pop('role_ids'), form.pop('password')
+            if form.id:
+                User.objects.filter(pk=form.id).update(**form)
+            else:
+                User.objects.create(
+                    password_hash=User.make_password(password),
+                    created_by=request.user,
+                    **form
+                )
+            user.roles.set(role_ids)
         return json_response(error=error)
 
     def patch(self, request):
         form, error = JsonParser(
-            Argument('id', type=int, help='请指定操作对象'),
-            Argument('username', required=False),
+            Argument('id', type=int, help='参数错误'),
             Argument('password', required=False),
-            Argument('nickname', required=False),
-            Argument('role_id', required=False),
-            Argument('wx_token', required=False),
             Argument('is_active', type=bool, required=False),
-        ).parse(request.body, True)
+        ).parse(request.body)
         if error is None:
-            if form.get('password'):
-                form.token_expired = 0
-                form.password_hash = User.make_password(form.pop('password'))
-            if 'username' in form:
-                if User.objects.filter(username=form.username, deleted_by_id__isnull=True).exclude(id=form.id).exists():
-                    return json_response(error=f'已存在登录名为【{form.username}】的用户')
-            if 'is_active' in form:
-                user = User.objects.get(pk=form.id)
+            user = User.objects.get(pk=form.id)
+            if form.password:
+                user.token_expired = 0
+                user.password_hash = User.make_password(form.pop('password'))
+            if form.is_active is not None:
+                user.is_active = form.is_active
                 cache.delete(user.username)
-            User.objects.filter(pk=form.pop('id')).update(**form)
+            user.save()
         return json_response(error=error)
 
     def delete(self, request):
@@ -73,7 +77,7 @@ class UserView(View):
             if user:
                 if user.type == 'ldap':
                     return json_response(error='ldap账户无法删除，请使用禁用功能来禁止该账户访问系统')
-                user.role_id = None
+                user.is_active = True
                 user.deleted_at = human_datetime()
                 user.deleted_by = request.user
                 user.save()
@@ -124,9 +128,10 @@ class RoleView(View):
             Argument('id', type=int, help='参数错误')
         ).parse(request.GET)
         if error is None:
-            if User.objects.filter(role_id=form.id).exists():
+            role = Role.objects.get(pk=form.id)
+            if role.user_set.exists():
                 return json_response(error='已有用户使用了该角色，请解除关联后再尝试删除')
-            Role.objects.filter(pk=form.id).delete()
+            role.delete()
         return json_response(error=error)
 
 
diff --git a/spug_web/src/pages/system/account/Form.js b/spug_web/src/pages/system/account/Form.js
index 5ae5461..cf9395a 100644
--- a/spug_web/src/pages/system/account/Form.js
+++ b/spug_web/src/pages/system/account/Form.js
@@ -24,18 +24,13 @@ export default observer(function () {
   function handleSubmit() {
     setLoading(true);
     const formData = form.getFieldsValue();
-    let request;
-    if (store.record.id) {
-      formData['id'] = store.record.id;
-      request = http.patch('/api/account/user/', formData)
-    } else {
-      request = http.post('/api/account/user/', formData)
-    }
-    request.then(() => {
-      message.success('操作成功');
-      store.formVisible = false;
-      store.fetchRecords()
-    }, () => setLoading(false))
+    formData.id = store.record.id;
+    http.post('/api/account/user/', formData)
+      .then(() => {
+        message.success('操作成功');
+        store.formVisible = false;
+        store.fetchRecords()
+      }, () => setLoading(false))
   }
 
   return (
@@ -54,14 +49,12 @@ export default observer(function () {
         <Form.Item required name="nickname" label="姓名">
           <Input placeholder="请输入姓名"/>
         </Form.Item>
-        {store.record.id === undefined && (
-          <Form.Item required name="password" label="密码">
-            <Input type="password" placeholder="请输入密码"/>
-          </Form.Item>
-        )}
-        <Form.Item hidden={store.record.is_supper} required label="角色" style={{marginBottom: 0}}>
-          <Form.Item name="role_id" style={{display: 'inline-block', width: '80%'}}>
-            <Select placeholder="请选择">
+        <Form.Item required hidden={store.record.id} name="password" label="密码">
+          <Input type="password" placeholder="请输入密码"/>
+        </Form.Item>
+        <Form.Item hidden={store.record.is_supper} label="角色" style={{marginBottom: 0}}>
+          <Form.Item name="role_ids" style={{display: 'inline-block', width: '80%'}}>
+            <Select mode="multiple" placeholder="请选择">
               {roleStore.records.map(item => (
                 <Select.Option value={item.id} key={item.id}>{item.name}</Select.Option>
               ))}
diff --git a/spug_web/src/pages/system/account/Table.js b/spug_web/src/pages/system/account/Table.js
index 35be53d..1b1cc17 100644
--- a/spug_web/src/pages/system/account/Table.js
+++ b/spug_web/src/pages/system/account/Table.js
@@ -6,8 +6,8 @@
 import React from 'react';
 import { observer } from 'mobx-react';
 import { ExclamationCircleOutlined, PlusOutlined } from '@ant-design/icons';
-import { Divider, Form, Radio, Modal, Button, Badge, message, Input } from 'antd';
-import { LinkButton, TableCard } from 'components';
+import { Form, Radio, Modal, Button, Badge, message, Input } from 'antd';
+import { TableCard, Action } from 'components';
 import http from 'libs/http';
 import store from './store';
 
@@ -30,9 +30,6 @@ class ComTable extends React.Component {
   }, {
     title: '姓名',
     dataIndex: 'nickname',
-  }, {
-    title: '角色',
-    dataIndex: 'role_name'
   }, {
     title: '状态',
     render: text => text['is_active'] ? <Badge status="success" text="正常"/> : <Badge status="default" text="禁用"/>
@@ -42,15 +39,12 @@ class ComTable extends React.Component {
   }, {
     title: '操作',
     render: info => (
-      <span>
-        <LinkButton onClick={() => this.handleActive(info)}>{info['is_active'] ? '禁用' : '启用'}</LinkButton>
-        <Divider type="vertical"/>
-        <LinkButton onClick={() => store.showForm(info)}>编辑</LinkButton>
-        <Divider type="vertical"/>
-        <LinkButton disabled={info['type'] === 'ldap'} onClick={() => this.handleReset(info)}>重置密码</LinkButton>
-        <Divider type="vertical"/>
-        <LinkButton onClick={() => this.handleDelete(info)}>删除</LinkButton>
-      </span>
+      <Action>
+        <Action.Button onClick={() => this.handleActive(info)}>{info['is_active'] ? '禁用' : '启用'}</Action.Button>
+        <Action.Button onClick={() => store.showForm(info)}>编辑</Action.Button>
+        <Action.Button disabled={info['type'] === 'ldap'} onClick={() => this.handleReset(info)}>重置密码</Action.Button>
+        <Action.Button danger onClick={() => this.handleDelete(info)}>删除</Action.Button>
+      </Action>
     )
   }];
 
diff --git a/spug_web/src/pages/system/role/Table.js b/spug_web/src/pages/system/role/Table.js
index ec2d213..5d68dd9 100644
--- a/spug_web/src/pages/system/role/Table.js
+++ b/spug_web/src/pages/system/role/Table.js
@@ -5,11 +5,11 @@
  */
 import React from 'react';
 import { observer } from 'mobx-react';
-import { Divider, Modal, message } from 'antd';
+import { Modal, message } from 'antd';
 import { PlusOutlined } from '@ant-design/icons';
+import { TableCard, AuthButton, Action } from 'components';
 import http from 'libs/http';
 import store from './store';
-import { LinkButton, TableCard, AuthButton } from "components";
 
 @observer
 class ComTable extends React.Component {
@@ -31,24 +31,20 @@ class ComTable extends React.Component {
     title: '操作',
     width: 400,
     render: info => (
-      <span>
-        <LinkButton onClick={() => store.showForm(info)}>编辑</LinkButton>
-        <Divider type="vertical"/>
-        <LinkButton onClick={() => store.showPagePerm(info)}>功能权限</LinkButton>
-        <Divider type="vertical"/>
-        <LinkButton onClick={() => store.showDeployPerm(info)}>发布权限</LinkButton>
-        <Divider type="vertical"/>
-        <LinkButton onClick={() => store.showHostPerm(info)}>主机权限</LinkButton>
-        <Divider type="vertical"/>
-        <LinkButton onClick={() => this.handleDelete(info)}>删除</LinkButton>
-      </span>
+      <Action>
+        <Action.Button onClick={() => store.showForm(info)}>编辑</Action.Button>
+        <Action.Button onClick={() => store.showPagePerm(info)}>功能权限</Action.Button>
+        <Action.Button onClick={() => store.showDeployPerm(info)}>发布权限</Action.Button>
+        <Action.Button onClick={() => store.showHostPerm(info)}>主机权限</Action.Button>
+        <Action.Button danger onClick={() => this.handleDelete(info)}>删除</Action.Button>
+      </Action>
     )
   }];
 
   handleDelete = (text) => {
     Modal.confirm({
       title: '删除确认',
-      content: `确定要删除【${text['name']}】?`,
+      content: `确定要删除角色【${text['name']}】?`,
       onOk: () => {
         return http.delete('/api/account/role/', {params: {id: text.id}})
           .then(() => {