diff --git a/pkg/controller/group/group_controller.go b/pkg/controller/group/group_controller.go
index 728346efc6a11a27f82388f6f01db440bdb132d5..204f10011df6f9169ad4566353167c9853ca0820 100644
--- a/pkg/controller/group/group_controller.go
+++ b/pkg/controller/group/group_controller.go
@@ -42,6 +42,7 @@ import (
 	fedv1beta1lister "kubesphere.io/kubesphere/pkg/client/listers/types/v1beta1"
 	"kubesphere.io/kubesphere/pkg/constants"
 	"kubesphere.io/kubesphere/pkg/controller/utils/controller"
+	"kubesphere.io/kubesphere/pkg/utils/k8sutil"
 	"kubesphere.io/kubesphere/pkg/utils/sliceutil"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 )
@@ -142,6 +143,30 @@ func (c *Controller) reconcile(key string) error {
 			}
 		}
 
+		if group.Labels != nil {
+			// Set OwnerReferences when the group has a parent.
+			if parent, ok := group.Labels[iam1alpha2.GroupParent]; ok && !k8sutil.IsControlledBy(group.OwnerReferences, "Group", parent) {
+				if g == nil {
+					g = group.DeepCopy()
+				}
+				groupParent, err := c.groupLister.Get(parent)
+				if err != nil {
+					if errors.IsNotFound(err) {
+						utilruntime.HandleError(fmt.Errorf("Parent group '%s' no longer exists", key))
+						delete(group.Labels, iam1alpha2.GroupParent)
+					} else {
+						klog.Error(err)
+						return err
+					}
+				} else {
+					if err := controllerutil.SetControllerReference(groupParent, g, scheme.Scheme); err != nil {
+						klog.Error(err)
+						return err
+					}
+				}
+			}
+		}
+
 		if g != nil {
 			if _, err = c.ksClient.IamV1alpha2().Groups().Update(g); err != nil {
 				return err
diff --git a/pkg/controller/group/group_controller_test.go b/pkg/controller/group/group_controller_test.go
index 66dffc2c78e12b065ac75f69e5f508016e77a069..10cef7328267297d94e7ad41531c5ced3de10ccb 100644
--- a/pkg/controller/group/group_controller_test.go
+++ b/pkg/controller/group/group_controller_test.go
@@ -288,6 +288,20 @@ func (f *fixture) expectUpdateGroupsFinalizerAction(group *v1alpha2.Group) {
 	f.actions = append(f.actions, action)
 }
 
+func (f *fixture) expectUpdateParentsRefAction(parent, child *v1alpha2.Group) {
+	expect := child.DeepCopy()
+	if expect.Labels == nil {
+		expect.Labels = make(map[string]string, 0)
+	}
+
+	controllerutil.SetControllerReference(parent, expect, scheme.Scheme)
+
+	expect.Finalizers = []string{"finalizers.kubesphere.io/groups"}
+	expect.Labels[constants.KubefedManagedLabel] = "false"
+	action := core.NewUpdateAction(schema.GroupVersionResource{Resource: "groups"}, "", expect)
+	f.actions = append(f.actions, action)
+}
+
 func (f *fixture) expectCreateFederatedGroupsAction(group *v1alpha2.Group) {
 	federatedGroup := newFederatedGroup(group)
 
@@ -357,6 +371,19 @@ func TestDoNothing(t *testing.T) {
 	f.run(getKey(group, t))
 }
 
+func TestGroupCreateWithParent(t *testing.T) {
+	f := newFixture(t)
+	parent := newGroup("parent")
+	child := newGroup("child")
+	child.Labels = map[string]string{v1alpha2.GroupParent: "parent"}
+
+	f.groupLister = append(f.groupLister, parent, child)
+	f.objects = append(f.objects, parent, child)
+
+	f.expectUpdateParentsRefAction(parent, child)
+	f.run(getKey(child, t))
+}
+
 func TestFederetedGroupCreate(t *testing.T) {
 	f := newFixture(t)
 
diff --git a/pkg/kapis/iam/v1alpha2/register.go b/pkg/kapis/iam/v1alpha2/register.go
index acf8404f8dd7320fef4151530438a08c6dc24e32..7399c6da49045874db20b1e43503c67e42d044de 100644
--- a/pkg/kapis/iam/v1alpha2/register.go
+++ b/pkg/kapis/iam/v1alpha2/register.go
@@ -576,7 +576,7 @@ func AddToContainer(container *restful.Container, im im.IdentityManagementInterf
 		Returns(http.StatusOK, api.StatusOK, []v1.RoleBinding{}).
 		Metadata(restfulspec.KeyOpenAPITags, []string{constants.NamespaceRoleTag}))
 
-	ws.Route(ws.DELETE("/namespace/{namespace}/rolebindings/{rolebinding}").
+	ws.Route(ws.DELETE("/namespaces/{namespace}/rolebindings/{rolebinding}").
 		To(handler.DeleteRoleBinding).
 		Param(ws.PathParameter("workspace", "workspace name")).
 		Param(ws.PathParameter("namespace", "groupbinding name")).
diff --git a/pkg/models/iam/am/am.go b/pkg/models/iam/am/am.go
index eacbb5aa32f4ef2625efa0e9ffbd78830f8453d7..510f571190ce27b1b39173ca2028cc8780b99f51 100644
--- a/pkg/models/iam/am/am.go
+++ b/pkg/models/iam/am/am.go
@@ -1050,9 +1050,9 @@ func (am *amOperator) CreateWorkspaceRoleBinding(workspace string, roleBinding *
 	}
 
 	if roleBinding.Subjects[0].Kind == rbacv1.GroupKind {
-		roleBinding.Labels[iamv1alpha2.GroupReferenceLabel] = roleBinding.RoleRef.Name
+		roleBinding.Labels[iamv1alpha2.GroupReferenceLabel] = roleBinding.Subjects[0].Name
 	} else if roleBinding.Subjects[0].Kind == rbacv1.UserKind {
-		roleBinding.Labels[iamv1alpha2.UserReferenceLabel] = roleBinding.RoleRef.Name
+		roleBinding.Labels[iamv1alpha2.UserReferenceLabel] = roleBinding.Subjects[0].Name
 	}
 
 	roleBinding.Labels[tenantv1alpha1.WorkspaceLabel] = workspace