diff --git a/pkg/apiserver/iam/im.go b/pkg/apiserver/iam/im.go
index edd7b2a23db121b8356f1b1307c16218420cbeca..2957d0e21c59ececa9635652188c6fec24cfa611 100644
--- a/pkg/apiserver/iam/im.go
+++ b/pkg/apiserver/iam/im.go
@@ -160,6 +160,11 @@ func UpdateUser(req *restful.Request, resp *restful.Response) {
 		}
 	}
 
+	if usernameInHeader == user.Username {
+		// change cluster role by self is not permitted
+		user.ClusterRole = ""
+	}
+
 	result, err := iam.UpdateUser(&user)
 
 	if err != nil {
diff --git a/pkg/models/iam/im.go b/pkg/models/iam/im.go
index ec98d7f2d24ea6fc00647ac853ad4bd7861de4c2..cef5b10b3f98d038a1a83c77c46be0514555482d 100644
--- a/pkg/models/iam/im.go
+++ b/pkg/models/iam/im.go
@@ -1166,11 +1166,13 @@ func UpdateUser(user *models.User) (*models.User, error) {
 		return nil, err
 	}
 
-	err = CreateClusterRoleBinding(user.Username, user.ClusterRole)
+	if user.ClusterRole != "" {
+		err = CreateClusterRoleBinding(user.Username, user.ClusterRole)
 
-	if err != nil {
-		klog.Errorln("create cluster role binding filed", err)
-		return nil, err
+		if err != nil {
+			klog.Errorln(err)
+			return nil, err
+		}
 	}
 
 	// clear auth failed record