diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/auth/ConsumerPermissionValidator.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/auth/ConsumerPermissionValidator.java
index 0f24eba000ffbad4668c8965e49199cd45dd99a3..8200964794eeeaa5ba987d807d99bb339254ee02 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/auth/ConsumerPermissionValidator.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/auth/ConsumerPermissionValidator.java
@@ -19,26 +19,25 @@ public class ConsumerPermissionValidator {
   private ConsumerAuthUtil consumerAuthUtil;
 
 
-  public boolean hasModifyNamespacePermission(HttpServletRequest request, String appId, String
-      namespaceName) {
-
+  public boolean hasModifyNamespacePermission(HttpServletRequest request, String appId, String namespaceName,
+      String env) {
     if (hasCreateNamespacePermission(request, appId)) {
       return true;
     }
     return permissionService.consumerHasPermission(consumerAuthUtil.retrieveConsumerId(request),
         PermissionType.MODIFY_NAMESPACE,
-        RoleUtils.buildNamespaceTargetId(appId, namespaceName, null));
+        RoleUtils.buildNamespaceTargetId(appId, namespaceName, env));
 
   }
 
-  public boolean hasReleaseNamespacePermission(HttpServletRequest request, String appId, String
-      namespaceName) {
+  public boolean hasReleaseNamespacePermission(HttpServletRequest request, String appId, String namespaceName,
+      String env) {
     if (hasCreateNamespacePermission(request, appId)) {
       return true;
     }
     return permissionService.consumerHasPermission(consumerAuthUtil.retrieveConsumerId(request),
         PermissionType.RELEASE_NAMESPACE,
-        RoleUtils.buildNamespaceTargetId(appId, namespaceName, null));
+        RoleUtils.buildNamespaceTargetId(appId, namespaceName, env));
 
   }
 
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/service/ConsumerService.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/service/ConsumerService.java
index e33841f08379305dc144128f0f48522b47e91775..c52f5f453e49f670fb3692b37bf8ca3719f5b88c 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/service/ConsumerService.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/service/ConsumerService.java
@@ -112,6 +112,10 @@ public class ConsumerService {
     return consumerRepository.findOne(consumerId);
   }
 
+  public List<ConsumerRole> assignNamespaceRoleToConsumer(String token, String appId, String namespaceName) {
+    return assignNamespaceRoleToConsumer(token, appId, namespaceName, null);
+  }
+
   @Transactional
   public List<ConsumerRole> assignNamespaceRoleToConsumer(String token, String appId, String namespaceName, String env) {
     Long consumerId = getConsumerIdByToken(token);
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/v1/controller/ItemController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/v1/controller/ItemController.java
index 3c26be16692931a94e6db2477a28df086d426a31..61a2445f94e0de0ba08ddad1e83e86d1b119c3f8 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/v1/controller/ItemController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/v1/controller/ItemController.java
@@ -32,7 +32,7 @@ public class ItemController {
   private UserService userService;
 
 
-  @PreAuthorize(value = "@consumerPermissionValidator.hasModifyNamespacePermission(#request, #appId, #namespaceName)")
+  @PreAuthorize(value = "@consumerPermissionValidator.hasModifyNamespacePermission(#request, #appId, #namespaceName, #env)")
   @RequestMapping(value = "/apps/{appId}/clusters/{clusterName}/namespaces/{namespaceName}/items", method = RequestMethod.POST)
   public OpenItemDTO createItem(@PathVariable String appId, @PathVariable String env,
                                 @PathVariable String clusterName, @PathVariable String namespaceName,
@@ -60,7 +60,7 @@ public class ItemController {
     return OpenApiBeanUtils.transformFromItemDTO(createdItem);
   }
 
-  @PreAuthorize(value = "@consumerPermissionValidator.hasModifyNamespacePermission(#request, #appId, #namespaceName)")
+  @PreAuthorize(value = "@consumerPermissionValidator.hasModifyNamespacePermission(#request, #appId, #namespaceName, #env)")
   @RequestMapping(value = "/apps/{appId}/clusters/{clusterName}/namespaces/{namespaceName}/items/{key:.+}", method = RequestMethod.PUT)
   public void updateItem(@PathVariable String appId, @PathVariable String env,
                          @PathVariable String clusterName, @PathVariable String namespaceName,
@@ -91,7 +91,7 @@ public class ItemController {
   }
 
 
-  @PreAuthorize(value = "@consumerPermissionValidator.hasModifyNamespacePermission(#request, #appId, #namespaceName)")
+  @PreAuthorize(value = "@consumerPermissionValidator.hasModifyNamespacePermission(#request, #appId, #namespaceName, #env)")
   @RequestMapping(value = "/apps/{appId}/clusters/{clusterName}/namespaces/{namespaceName}/items/{key:.+}", method = RequestMethod.DELETE)
   public void deleteItem(@PathVariable String appId, @PathVariable String env,
                          @PathVariable String clusterName, @PathVariable String namespaceName,
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/v1/controller/ReleaseController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/v1/controller/ReleaseController.java
index de3d85ca83ace759900ceeb0b0e39ed60213f3de..2a5911dcf79825e0e5c38d2200e1924c426cf9bf 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/v1/controller/ReleaseController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/v1/controller/ReleaseController.java
@@ -33,7 +33,7 @@ public class ReleaseController {
   @Autowired
   private UserService userService;
 
-  @PreAuthorize(value = "@consumerPermissionValidator.hasReleaseNamespacePermission(#request, #appId, #namespaceName)")
+  @PreAuthorize(value = "@consumerPermissionValidator.hasReleaseNamespacePermission(#request, #appId, #namespaceName, #env)")
   @RequestMapping(value = "/apps/{appId}/clusters/{clusterName}/namespaces/{namespaceName}/releases", method = RequestMethod.POST)
   public OpenReleaseDTO createRelease(@PathVariable String appId, @PathVariable String env,
                                       @PathVariable String clusterName,
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/component/PermissionValidator.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/component/PermissionValidator.java
index 02cd183f5743038d176d65fde68336bb2b74ffa2..960799ed08183cb61b0bbc130a140027973cacec 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/component/PermissionValidator.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/component/PermissionValidator.java
@@ -6,7 +6,6 @@ import com.ctrip.framework.apollo.portal.constant.PermissionType;
 import com.ctrip.framework.apollo.portal.service.RolePermissionService;
 import com.ctrip.framework.apollo.portal.spi.UserInfoHolder;
 import com.ctrip.framework.apollo.portal.util.RoleUtils;
-
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 
@@ -20,24 +19,42 @@ public class PermissionValidator {
   @Autowired
   private PortalConfig portalConfig;
 
-  public boolean hasModifyNamespacePermission(String appId, String namespaceName, String env) {
+  public boolean hasModifyNamespacePermission(String appId, String namespaceName) {
     return rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(),
         PermissionType.MODIFY_NAMESPACE,
-        RoleUtils.buildNamespaceTargetId(appId, namespaceName, env));
+        RoleUtils.buildNamespaceTargetId(appId, namespaceName));
   }
 
-  public boolean hasReleaseNamespacePermission(String appId, String namespaceName, String env) {
+  public boolean hasModifyNamespacePermission(String appId, String namespaceName, String env) {
+    return hasModifyNamespacePermission(appId, namespaceName) ||
+        rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(),
+            PermissionType.MODIFY_NAMESPACE, RoleUtils.buildNamespaceTargetId(appId, namespaceName, env));
+  }
+
+  public boolean hasReleaseNamespacePermission(String appId, String namespaceName) {
     return rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(),
         PermissionType.RELEASE_NAMESPACE,
-        RoleUtils.buildNamespaceTargetId(appId, namespaceName, env));
+        RoleUtils.buildNamespaceTargetId(appId, namespaceName));
+  }
+
+  public boolean hasReleaseNamespacePermission(String appId, String namespaceName, String env) {
+    return hasReleaseNamespacePermission(appId, namespaceName) ||
+        rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(),
+        PermissionType.RELEASE_NAMESPACE, RoleUtils.buildNamespaceTargetId(appId, namespaceName, env));
   }
 
   public boolean hasDeleteNamespacePermission(String appId) {
     return hasAssignRolePermission(appId) || isSuperAdmin();
   }
 
+  public boolean hasOperateNamespacePermission(String appId, String namespaceName) {
+    return hasModifyNamespacePermission(appId, namespaceName) || hasReleaseNamespacePermission(appId, namespaceName);
+  }
+
   public boolean hasOperateNamespacePermission(String appId, String namespaceName, String env) {
-    return hasModifyNamespacePermission(appId, namespaceName, env) || hasReleaseNamespacePermission(appId, namespaceName, env);
+    return hasOperateNamespacePermission(appId, namespaceName) ||
+        hasModifyNamespacePermission(appId, namespaceName, env) ||
+        hasReleaseNamespacePermission(appId, namespaceName, env);
   }
 
   public boolean hasAssignRolePermission(String appId) {
@@ -77,8 +94,4 @@ public class PermissionValidator {
   public boolean isSuperAdmin() {
     return rolePermissionService.isSuperAdmin(userInfoHolder.getUser().getUserId());
   }
-
-  public boolean alwaysTrue() {
-    return true;
-  }
 }
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/component/emailbuilder/ConfigPublishEmailBuilder.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/component/emailbuilder/ConfigPublishEmailBuilder.java
index 614351cc207499daaced2ea32ecc77d5e8e669ee..82cab8305f37bf79d562f2a9232f0e08330b0a3e 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/component/emailbuilder/ConfigPublishEmailBuilder.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/component/emailbuilder/ConfigPublishEmailBuilder.java
@@ -211,13 +211,13 @@ public abstract class ConfigPublishEmailBuilder {
   private List<String> recipients(String appId, String namespaceName, String env) {
     Set<UserInfo> modifyRoleUsers =
             rolePermissionService
-                    .queryUsersWithRole(RoleUtils.buildNamespaceRoleName(appId, namespaceName, RoleType.MODIFY_NAMESPACE, null));
+                    .queryUsersWithRole(RoleUtils.buildNamespaceRoleName(appId, namespaceName, RoleType.MODIFY_NAMESPACE));
     Set<UserInfo> envModifyRoleUsers =
         rolePermissionService
             .queryUsersWithRole(RoleUtils.buildNamespaceRoleName(appId, namespaceName, RoleType.MODIFY_NAMESPACE, env));
     Set<UserInfo> releaseRoleUsers =
             rolePermissionService
-                    .queryUsersWithRole(RoleUtils.buildNamespaceRoleName(appId, namespaceName, RoleType.RELEASE_NAMESPACE, null));
+                    .queryUsersWithRole(RoleUtils.buildNamespaceRoleName(appId, namespaceName, RoleType.RELEASE_NAMESPACE));
     Set<UserInfo> envReleaseRoleUsers =
         rolePermissionService
             .queryUsersWithRole(RoleUtils.buildNamespaceRoleName(appId, namespaceName, RoleType.RELEASE_NAMESPACE, env));
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ConsumerController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ConsumerController.java
index 26cc3ad28227874ef4a6a6bdbfad6411c033b0b8..84ba65d5dd8bbcd8aa283dc8a597c2e62586d1e8 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ConsumerController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ConsumerController.java
@@ -9,6 +9,8 @@ import com.ctrip.framework.apollo.openapi.entity.ConsumerRole;
 import com.ctrip.framework.apollo.openapi.entity.ConsumerToken;
 import com.ctrip.framework.apollo.openapi.service.ConsumerService;
 
+import com.google.common.base.Strings;
+import com.google.common.collect.Lists;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.format.annotation.DateTimeFormat;
 import org.springframework.security.access.prepost.PreAuthorize;
@@ -81,12 +83,17 @@ public class ConsumerController {
         throw new BadRequestException("Params(NamespaceName) can not be empty.");
       }
       if (null != envs){
-        String[] envList = envs.split(",");
+        String[] envArray = envs.split(",");
+        List<String> envList = Lists.newArrayList();
         // validate env parameter
-        for (String env : envList) {
-          if (null != env && !"".equals(env) && null == EnvUtils.transformEnv(env)) {
+        for (String env : envArray) {
+          if (Strings.isNullOrEmpty(env)) {
+            continue;
+          }
+          if (null == EnvUtils.transformEnv(env)) {
             throw new BadRequestException(String.format("env: %s is illegal", env));
           }
+          envList.add(env);
         }
 
         List<ConsumerRole> consumeRoles = new ArrayList<>();
@@ -96,7 +103,7 @@ public class ConsumerController {
         return consumeRoles;
       }
 
-      return consumerService.assignNamespaceRoleToConsumer(token, appId, namespaceName, null);
+      return consumerService.assignNamespaceRoleToConsumer(token, appId, namespaceName);
     }
   }
 
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ItemController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ItemController.java
index d9e232a1371d05b91d4322e5892ef1a04ab63181..514102326d3cf3f75eeba9e6440a471e3120865a 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ItemController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ItemController.java
@@ -40,7 +40,7 @@ public class ItemController {
   @Autowired
   private PermissionValidator permissionValidator;
 
-  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, null) || @permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, #env)")
+  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, #env)")
   @RequestMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/items", method = RequestMethod.PUT, consumes = {
       "application/json"})
   public void modifyItemsByText(@PathVariable String appId, @PathVariable String env,
@@ -57,7 +57,7 @@ public class ItemController {
     configService.updateConfigItemByText(model);
   }
 
-  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, null) || @permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, #env)")
+  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, #env)")
   @RequestMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/item", method = RequestMethod.POST)
   public ItemDTO createItem(@PathVariable String appId, @PathVariable String env,
                             @PathVariable String clusterName, @PathVariable String namespaceName,
@@ -76,7 +76,7 @@ public class ItemController {
     return configService.createItem(appId, Env.valueOf(env), clusterName, namespaceName, item);
   }
 
-  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, null) || @permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, #env)")
+  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, #env)")
   @RequestMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/item", method = RequestMethod.PUT)
   public void updateItem(@PathVariable String appId, @PathVariable String env,
                          @PathVariable String clusterName, @PathVariable String namespaceName,
@@ -90,7 +90,7 @@ public class ItemController {
   }
 
 
-  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, null) || @permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, #env) ")
+  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, #env) ")
   @RequestMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/items/{itemId}", method = RequestMethod.DELETE)
   public void deleteItem(@PathVariable String appId, @PathVariable String env,
                          @PathVariable String clusterName, @PathVariable String namespaceName,
@@ -139,14 +139,12 @@ public class ItemController {
     return configService.compare(model.getSyncToNamespaces(), model.getSyncItems());
   }
 
-  //@PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName)")
-  @PreAuthorize(value="@permissionValidator.alwaysTrue()")
   @RequestMapping(value = "/apps/{appId}/namespaces/{namespaceName}/items", method = RequestMethod.PUT, consumes = {
       "application/json"})
-  public ResponseEntity update(@PathVariable String appId, @PathVariable String namespaceName,
+  public ResponseEntity<Void> update(@PathVariable String appId, @PathVariable String namespaceName,
                                      @RequestBody NamespaceSyncModel model) {
     checkModel(Objects.nonNull(model) && !model.isInvalid());
-    boolean hasPermission = permissionValidator.hasModifyNamespacePermission(appId, namespaceName, null);
+    boolean hasPermission = permissionValidator.hasModifyNamespacePermission(appId, namespaceName);
     Env envNoPermission = null;
     // if uses has ModifyNamespace permission then he has permission
     if (!hasPermission) {
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/NamespaceBranchController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/NamespaceBranchController.java
index c80fda24d797d0a1231e0ff73d8b3de8dd2159a1..454255e847c52bb10a17d96fd9f6b2cfe56c6107 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/NamespaceBranchController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/NamespaceBranchController.java
@@ -46,7 +46,7 @@ public class NamespaceBranchController {
     return namespaceBranchService.findBranch(appId, Env.valueOf(env), clusterName, namespaceName);
   }
 
-  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, null) || @permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, #env)")
+  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, #env)")
   @RequestMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/branches", method = RequestMethod.POST)
   public NamespaceDTO createBranch(@PathVariable String appId,
                                    @PathVariable String env,
@@ -63,9 +63,8 @@ public class NamespaceBranchController {
                            @PathVariable String namespaceName,
                            @PathVariable String branchName) {
 
-    boolean canDelete = permissionValidator.hasReleaseNamespacePermission(appId, namespaceName, null) ||
-            permissionValidator.hasReleaseNamespacePermission(appId, namespaceName, env) ||
-            ((permissionValidator.hasModifyNamespacePermission(appId, namespaceName, null) || permissionValidator.hasModifyNamespacePermission(appId, namespaceName, env)) &&
+    boolean canDelete = permissionValidator.hasReleaseNamespacePermission(appId, namespaceName, env) ||
+            (permissionValidator.hasModifyNamespacePermission(appId, namespaceName, env) &&
                       releaseService.loadLatestRelease(appId, Env.valueOf(env), branchName, namespaceName) == null);
 
 
@@ -82,7 +81,7 @@ public class NamespaceBranchController {
 
 
 
-  @PreAuthorize(value = "@permissionValidator.hasReleaseNamespacePermission(#appId, #namespaceName, null) || @permissionValidator.hasReleaseNamespacePermission(#appId, #namespaceName, #env)")
+  @PreAuthorize(value = "@permissionValidator.hasReleaseNamespacePermission(#appId, #namespaceName, #env)")
   @RequestMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/branches/{branchName}/merge", method = RequestMethod.POST)
   public ReleaseDTO merge(@PathVariable String appId, @PathVariable String env,
                           @PathVariable String clusterName, @PathVariable String namespaceName,
@@ -121,7 +120,7 @@ public class NamespaceBranchController {
   }
 
 
-  @PreAuthorize(value = "@permissionValidator.hasOperateNamespacePermission(#appId, #namespaceName, null) || @permissionValidator.hasOperateNamespacePermission(#appId, #namespaceName, #env)")
+  @PreAuthorize(value = "@permissionValidator.hasOperateNamespacePermission(#appId, #namespaceName, #env)")
   @RequestMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/branches/{branchName}/rules", method = RequestMethod.PUT)
   public void updateBranchRules(@PathVariable String appId, @PathVariable String env,
                                 @PathVariable String clusterName, @PathVariable String namespaceName,
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/NamespaceController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/NamespaceController.java
index 167e572df9c9a136345655feb086cf40d7ea85fe..a86e09d086d8ac7ae05d0fda95a4b0da9730b739 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/NamespaceController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/NamespaceController.java
@@ -208,10 +208,10 @@ public class NamespaceController {
     String operator = userInfoHolder.getUser().getUserId();
 
     rolePermissionService
-        .assignRoleToUsers(RoleUtils.buildNamespaceRoleName(appId, namespaceName, RoleType.MODIFY_NAMESPACE, null),
+        .assignRoleToUsers(RoleUtils.buildNamespaceRoleName(appId, namespaceName, RoleType.MODIFY_NAMESPACE),
                            Sets.newHashSet(operator), operator);
     rolePermissionService
-        .assignRoleToUsers(RoleUtils.buildNamespaceRoleName(appId, namespaceName, RoleType.RELEASE_NAMESPACE, null),
+        .assignRoleToUsers(RoleUtils.buildNamespaceRoleName(appId, namespaceName, RoleType.RELEASE_NAMESPACE),
                            Sets.newHashSet(operator), operator);
   }
 }
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/PermissionController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/PermissionController.java
index bbf8df5e09a16e6fcdc9d238cf9d602558873e5b..73ddce86285ab191b215ab939f98b6cf2019d1c8 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/PermissionController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/PermissionController.java
@@ -67,7 +67,7 @@ public class PermissionController {
 
     permissionCondition.setHasPermission(
         rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(), permissionType,
-            RoleUtils.buildNamespaceTargetId(appId, namespaceName, null)));
+            RoleUtils.buildNamespaceTargetId(appId, namespaceName)));
 
     return ResponseEntity.ok().body(permissionCondition);
   }
@@ -168,11 +168,11 @@ public class PermissionController {
     assignedUsers.setAppId(appId);
 
     Set<UserInfo> releaseNamespaceUsers =
-        rolePermissionService.queryUsersWithRole(RoleUtils.buildReleaseNamespaceRoleName(appId, namespaceName, null));
+        rolePermissionService.queryUsersWithRole(RoleUtils.buildReleaseNamespaceRoleName(appId, namespaceName));
     assignedUsers.setReleaseRoleUsers(releaseNamespaceUsers);
 
     Set<UserInfo> modifyNamespaceUsers =
-        rolePermissionService.queryUsersWithRole(RoleUtils.buildModifyNamespaceRoleName(appId, namespaceName, null));
+        rolePermissionService.queryUsersWithRole(RoleUtils.buildModifyNamespaceRoleName(appId, namespaceName));
     assignedUsers.setModifyRoleUsers(modifyNamespaceUsers);
 
     return assignedUsers;
@@ -188,7 +188,7 @@ public class PermissionController {
     if (!RoleType.isValidRoleType(roleType)) {
       throw new BadRequestException("role type is illegal");
     }
-    Set<String> assignedUser = rolePermissionService.assignRoleToUsers(RoleUtils.buildNamespaceRoleName(appId, namespaceName, roleType, null),
+    Set<String> assignedUser = rolePermissionService.assignRoleToUsers(RoleUtils.buildNamespaceRoleName(appId, namespaceName, roleType),
         Sets.newHashSet(user), userInfoHolder.getUser().getUserId());
     if (CollectionUtils.isEmpty(assignedUser)) {
       throw new BadRequestException(user + "已授权");
@@ -206,7 +206,7 @@ public class PermissionController {
     if (!RoleType.isValidRoleType(roleType)) {
       throw new BadRequestException("role type is illegal");
     }
-    rolePermissionService.removeRoleFromUsers(RoleUtils.buildNamespaceRoleName(appId, namespaceName, roleType, null),
+    rolePermissionService.removeRoleFromUsers(RoleUtils.buildNamespaceRoleName(appId, namespaceName, roleType),
         Sets.newHashSet(user), userInfoHolder.getUser().getUserId());
     return ResponseEntity.ok().build();
   }
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ReleaseController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ReleaseController.java
index ee8aa722602bd95c4584062f736a62cb76fbe640..6570efca3ca533296bad1424b53e38c4a2ed199d 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ReleaseController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ReleaseController.java
@@ -36,7 +36,7 @@ public class ReleaseController {
   @Autowired
   private PortalConfig portalConfig;
 
-  @PreAuthorize(value = "@permissionValidator.hasReleaseNamespacePermission(#appId, #namespaceName, null) || @permissionValidator.hasReleaseNamespacePermission(#appId, #namespaceName, #env)")
+  @PreAuthorize(value = "@permissionValidator.hasReleaseNamespacePermission(#appId, #namespaceName, #env)")
   @RequestMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/releases", method = RequestMethod.POST)
   public ReleaseDTO createRelease(@PathVariable String appId,
                                   @PathVariable String env, @PathVariable String clusterName,
@@ -67,7 +67,7 @@ public class ReleaseController {
     return createdRelease;
   }
 
-  @PreAuthorize(value = "@permissionValidator.hasReleaseNamespacePermission(#appId, #namespaceName, null) || @permissionValidator.hasReleaseNamespacePermission(#appId, #namespaceName, #env)")
+  @PreAuthorize(value = "@permissionValidator.hasReleaseNamespacePermission(#appId, #namespaceName, #env)")
   @RequestMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/branches/{branchName}/releases",
       method = RequestMethod.POST)
   public ReleaseDTO createGrayRelease(@PathVariable String appId,
@@ -138,6 +138,7 @@ public class ReleaseController {
   }
 
 
+  @PreAuthorize(value = "@permissionValidator.hasReleaseNamespacePermission(#appId, #namespaceName, #env)")
   @RequestMapping(path = "/envs/{env}/releases/{releaseId}/rollback", method = RequestMethod.PUT)
   public void rollback(@PathVariable String env,
                        @PathVariable long releaseId) {
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/spi/defaultimpl/DefaultRoleInitializationService.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/spi/defaultimpl/DefaultRoleInitializationService.java
index 38e693e3f4b10cf60e829e7e271cd1443fc8e977..71d911dab912070e2c609cffc083e7b1d8adbe80 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/spi/defaultimpl/DefaultRoleInitializationService.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/spi/defaultimpl/DefaultRoleInitializationService.java
@@ -58,10 +58,10 @@ public class DefaultRoleInitializationService implements RoleInitializationServi
 
     //assign modify、release namespace role to user
     rolePermissionService.assignRoleToUsers(
-        RoleUtils.buildNamespaceRoleName(appId, ConfigConsts.NAMESPACE_APPLICATION, RoleType.MODIFY_NAMESPACE, null),
+        RoleUtils.buildNamespaceRoleName(appId, ConfigConsts.NAMESPACE_APPLICATION, RoleType.MODIFY_NAMESPACE),
         Sets.newHashSet(operator), operator);
     rolePermissionService.assignRoleToUsers(
-        RoleUtils.buildNamespaceRoleName(appId, ConfigConsts.NAMESPACE_APPLICATION, RoleType.RELEASE_NAMESPACE, null),
+        RoleUtils.buildNamespaceRoleName(appId, ConfigConsts.NAMESPACE_APPLICATION, RoleType.RELEASE_NAMESPACE),
         Sets.newHashSet(operator), operator);
 
   }
@@ -69,13 +69,13 @@ public class DefaultRoleInitializationService implements RoleInitializationServi
   @Transactional
   public void initNamespaceRoles(String appId, String namespaceName, String operator) {
 
-    String modifyNamespaceRoleName = RoleUtils.buildModifyNamespaceRoleName(appId, namespaceName, null);
+    String modifyNamespaceRoleName = RoleUtils.buildModifyNamespaceRoleName(appId, namespaceName);
     if (rolePermissionService.findRoleByRoleName(modifyNamespaceRoleName) == null) {
       createNamespaceRole(appId, namespaceName, PermissionType.MODIFY_NAMESPACE,
           modifyNamespaceRoleName, operator);
     }
 
-    String releaseNamespaceRoleName = RoleUtils.buildReleaseNamespaceRoleName(appId, namespaceName, null);
+    String releaseNamespaceRoleName = RoleUtils.buildReleaseNamespaceRoleName(appId, namespaceName);
     if (rolePermissionService.findRoleByRoleName(releaseNamespaceRoleName) == null) {
       createNamespaceRole(appId, namespaceName, PermissionType.RELEASE_NAMESPACE,
           releaseNamespaceRoleName, operator);
@@ -143,7 +143,7 @@ public class DefaultRoleInitializationService implements RoleInitializationServi
                                    String roleName, String operator) {
 
     Permission permission =
-        createPermission(RoleUtils.buildNamespaceTargetId(appId, namespaceName, null), permissionType, operator);
+        createPermission(RoleUtils.buildNamespaceTargetId(appId, namespaceName), permissionType, operator);
     Permission createdPermission = rolePermissionService.createPermission(permission);
 
     Role role = createRole(roleName, operator);
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/util/RoleUtils.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/util/RoleUtils.java
index e2040063bbf3513d703c7fef3956b54fc6e7054d..f1ab7f457d084fdd856017f9d75d3836afa77a51 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/util/RoleUtils.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/util/RoleUtils.java
@@ -7,7 +7,7 @@ import com.ctrip.framework.apollo.portal.constant.RoleType;
 
 public class RoleUtils {
 
-  private static final Joiner STRING_JOINER = Joiner.on(ConfigConsts.CLUSTER_NAMESPACE_SEPARATOR);
+  private static final Joiner STRING_JOINER = Joiner.on(ConfigConsts.CLUSTER_NAMESPACE_SEPARATOR).skipNulls();
 
   public static String buildAppMasterRoleName(String appId) {
     return STRING_JOINER.join(RoleType.MASTER, appId);
@@ -17,36 +17,44 @@ public class RoleUtils {
     return STRING_JOINER.join(roleType, appId);
   }
 
+  public static String buildModifyNamespaceRoleName(String appId, String namespaceName) {
+    return buildModifyNamespaceRoleName(appId, namespaceName, null);
+  }
+
   public static String buildModifyNamespaceRoleName(String appId, String namespaceName, String env) {
-    if (null != env && !"".equals(env))
-      return STRING_JOINER.join(RoleType.MODIFY_NAMESPACE, appId, namespaceName, env);
-    return STRING_JOINER.join(RoleType.MODIFY_NAMESPACE, appId, namespaceName);
+    return STRING_JOINER.join(RoleType.MODIFY_NAMESPACE, appId, namespaceName, env);
   }
 
   public static String buildModifyDefaultNamespaceRoleName(String appId) {
     return STRING_JOINER.join(RoleType.MODIFY_NAMESPACE, appId, ConfigConsts.NAMESPACE_APPLICATION);
   }
 
+  public static String buildReleaseNamespaceRoleName(String appId, String namespaceName) {
+    return buildReleaseNamespaceRoleName(appId, namespaceName, null);
+  }
+
   public static String buildReleaseNamespaceRoleName(String appId, String namespaceName, String env) {
-    if (null != env && !"".equals(env))
-      return STRING_JOINER.join(RoleType.RELEASE_NAMESPACE, appId, namespaceName, env);
-    return STRING_JOINER.join(RoleType.RELEASE_NAMESPACE, appId, namespaceName);
+    return STRING_JOINER.join(RoleType.RELEASE_NAMESPACE, appId, namespaceName, env);
+  }
+
+  public static String buildNamespaceRoleName(String appId, String namespaceName, String roleType) {
+    return buildNamespaceRoleName(appId, namespaceName, roleType, null);
   }
 
   public static String buildNamespaceRoleName(String appId, String namespaceName, String roleType, String env) {
-    if (null != env && !"".equals(env))
-      return STRING_JOINER.join(roleType, appId, namespaceName, env);
-    return STRING_JOINER.join(roleType, appId, namespaceName);
+    return STRING_JOINER.join(roleType, appId, namespaceName, env);
   }
 
   public static String buildReleaseDefaultNamespaceRoleName(String appId) {
     return STRING_JOINER.join(RoleType.RELEASE_NAMESPACE, appId, ConfigConsts.NAMESPACE_APPLICATION);
   }
 
+  public static String buildNamespaceTargetId(String appId, String namespaceName) {
+    return buildNamespaceTargetId(appId, namespaceName, null);
+  }
+
   public static String buildNamespaceTargetId(String appId, String namespaceName, String env) {
-    if (null != env && !"".equals(env))
-      return STRING_JOINER.join(appId, namespaceName, env);
-    return STRING_JOINER.join(appId, namespaceName);
+    return STRING_JOINER.join(appId, namespaceName, env);
   }
 
   public static String buildDefaultNamespaceTargetId(String appId) {
diff --git a/apollo-portal/src/main/resources/static/namespace/role.html b/apollo-portal/src/main/resources/static/namespace/role.html
index cf9273503e020ce25006c805546bb484c1422e05..15c6b8d003a3afd83661a8099928c99be48c0490 100644
--- a/apollo-portal/src/main/resources/static/namespace/role.html
+++ b/apollo-portal/src/main/resources/static/namespace/role.html
@@ -35,13 +35,13 @@
             <div class="row">
                 <div class="form-horizontal">
                     <div class="form-group">
-                        <label class="col-sm-2 control-label">修改权<br><small>(可以修改配置，不选择环境则对所有环境授权)</small></label>
+                        <label class="col-sm-2 control-label">修改权<br><small>(可以修改配置)</small></label>
                         <div class="col-sm-8">
                             <form class="form-inline" ng-submit="assignRoleToUser('ModifyNamespace')">
                                 <div class="form-group">
                                     <apollouserselector apollo-id="modifyRoleWidgetId"></apollouserselector>
                                     <select class="form-control input-sm" ng-model="modifyRoleSelectedEnv">
-                                        <option value="">可选环境</option>
+                                        <option value="">所有环境</option>
                                         <option ng-repeat="env in envs" ng-value="env">{{env}}</option>
                                     </select>
                                 </div>
@@ -49,7 +49,7 @@
                             </form>
                             <!-- Split button -->
                             <div class="item-container">
-                                <h5>ALL</h5>
+                                <h5>所有环境</h5>
                                 <div class="btn-group item-info" ng-repeat="user in rolesAssignedUsers.modifyRoleUsers">
                                     <button type="button" class="btn btn-default" ng-bind="user.userId"></button>
                                     <button type="button" class="btn btn-default dropdown-toggle" data-toggle="dropdown"
@@ -77,14 +77,14 @@
                 <div class="row" style="margin-top: 10px;">
                     <div class="form-horizontal">
                         <div class="col-sm-2 text-right">
-                            <label class="control-label">发布权<br><small>(可以发布配置，不选择环境则对所有环境授权)</small></label>
+                            <label class="control-label">发布权<br><small>(可以发布配置)</small></label>
                         </div>
                         <div class="col-sm-8">
                             <form class="form-inline" ng-submit="assignRoleToUser('ReleaseNamespace')">
                                 <div class="form-group">
                                     <apollouserselector apollo-id="releaseRoleWidgetId"></apollouserselector>
                                     <select class="form-control input-sm" ng-model="releaseRoleSelectedEnv">
-                                        <option value="">可选环境</option>
+                                        <option value="">所有环境</option>
                                         <option ng-repeat="env in envs" ng-value="env">{{env}}</option>
                                     </select>
                                 </div>
@@ -92,7 +92,7 @@
                             </form>
                             <!-- Split button -->
                             <div class="item-container">
-                                <h5>ALL</h5>
+                                <h5>所有环境</h5>
                                 <div class="btn-group item-info" ng-repeat="user in rolesAssignedUsers.releaseRoleUsers">
                                     <button type="button" class="btn btn-default" ng-bind="user.userId"></button>
                                     <button type="button" class="btn btn-default dropdown-toggle" data-toggle="dropdown"
diff --git a/apollo-portal/src/main/resources/static/open/manage.html b/apollo-portal/src/main/resources/static/open/manage.html
index 02e2df7455728311a762441d6555e604863b918d..bec50baebe6c2a9de0858056db03b97bb84f1658 100644
--- a/apollo-portal/src/main/resources/static/open/manage.html
+++ b/apollo-portal/src/main/resources/static/open/manage.html
@@ -137,13 +137,16 @@
                     </div>
                     <div class="form-group" valdr-form-group ng-show="consumerRole.type=='NamespaceRole'">
                         <label class="col-sm-2 control-label">
-                            环境（不选择则所有环境都有权限）
+                            环境
                         </label>
-                        <div class="col-sm-3">
-                            <label class="checkbox-inline" ng-repeat="env in envs">
-                                <input type="checkbox" ng-checked="env.checked" ng-click="switchSelect(env)" />
-                                {{env.env}}
-                            </label>
+                        <div class="col-sm-10">
+                            <div>
+                                <label class="checkbox-inline" ng-repeat="env in envs">
+                                    <input type="checkbox" ng-checked="env.checked" ng-click="switchSelect(env)" />
+                                    {{env.env}}
+                                </label>
+                            </div>
+                            <small>(不选择则所有环境都有权限，如果提示Namespace's role does not exist，请先打开该Namespace的授权页面触发一下权限的初始化动作)</small>
                         </div>
                     </div>
                     <div class="form-group">
diff --git a/apollo-portal/src/test/java/com/ctrip/framework/apollo/openapi/service/ConsumerServiceTest.java b/apollo-portal/src/test/java/com/ctrip/framework/apollo/openapi/service/ConsumerServiceTest.java
index 62f2fdd32e83fc176ab67ed20be30343e1360900..5087dcda7eca4041b71a31c8907826746c937ccd 100644
--- a/apollo-portal/src/test/java/com/ctrip/framework/apollo/openapi/service/ConsumerServiceTest.java
+++ b/apollo-portal/src/test/java/com/ctrip/framework/apollo/openapi/service/ConsumerServiceTest.java
@@ -177,8 +177,8 @@ public class ConsumerServiceTest extends AbstractUnitTest {
     doReturn(consumerId).when(consumerService).getConsumerIdByToken(token);
 
     String testNamespace = "namespace";
-    String modifyRoleName = RoleUtils.buildModifyNamespaceRoleName(testAppId, testNamespace, null);
-    String releaseRoleName = RoleUtils.buildReleaseNamespaceRoleName(testAppId, testNamespace, null);
+    String modifyRoleName = RoleUtils.buildModifyNamespaceRoleName(testAppId, testNamespace);
+    String releaseRoleName = RoleUtils.buildReleaseNamespaceRoleName(testAppId, testNamespace);
     String envModifyRoleName = RoleUtils.buildModifyNamespaceRoleName(testAppId, testNamespace, Env.DEV.toString());
     String envReleaseRoleName = RoleUtils.buildReleaseNamespaceRoleName(testAppId, testNamespace, Env.DEV.toString());
     long modifyRoleId = 1;
@@ -208,7 +208,7 @@ public class ConsumerServiceTest extends AbstractUnitTest {
     doReturn(namespaceReleaseConsumerRole).when(consumerService).createConsumerRole(consumerId, releaseRoleId, testOwner);
     doReturn(namespaceEnvReleaseConsumerRole).when(consumerService).createConsumerRole(consumerId, envReleaseRoleId, testOwner);
 
-    consumerService.assignNamespaceRoleToConsumer(token, testAppId, testNamespace, null);
+    consumerService.assignNamespaceRoleToConsumer(token, testAppId, testNamespace);
     consumerService.assignNamespaceRoleToConsumer(token, testAppId, testNamespace, Env.DEV.toString());
 
     verify(consumerRoleRepository).save(namespaceModifyConsumerRole);
diff --git a/apollo-portal/src/test/java/com/ctrip/framework/apollo/portal/spi/defaultImpl/RoleInitializationServiceTest.java b/apollo-portal/src/test/java/com/ctrip/framework/apollo/portal/spi/defaultImpl/RoleInitializationServiceTest.java
index 82b56d1738f6411f1e53947dbde43e843ebd5ccb..593596ef78e23d5258c2e626695a2266566e3629 100644
--- a/apollo-portal/src/test/java/com/ctrip/framework/apollo/portal/spi/defaultImpl/RoleInitializationServiceTest.java
+++ b/apollo-portal/src/test/java/com/ctrip/framework/apollo/portal/spi/defaultImpl/RoleInitializationServiceTest.java
@@ -74,11 +74,11 @@ public class RoleInitializationServiceTest extends AbstractUnitTest {
   @Test
   public void testInitNamespaceRoleHasExisted(){
 
-    String modifyNamespaceRoleName = RoleUtils.buildModifyNamespaceRoleName(APP_ID, NAMESPACE, null);
+    String modifyNamespaceRoleName = RoleUtils.buildModifyNamespaceRoleName(APP_ID, NAMESPACE);
     when(rolePermissionService.findRoleByRoleName(modifyNamespaceRoleName)).
         thenReturn(mockRole(modifyNamespaceRoleName));
 
-    String releaseNamespaceRoleName = RoleUtils.buildReleaseNamespaceRoleName(APP_ID, NAMESPACE, null);
+    String releaseNamespaceRoleName = RoleUtils.buildReleaseNamespaceRoleName(APP_ID, NAMESPACE);
     when(rolePermissionService.findRoleByRoleName(releaseNamespaceRoleName)).
         thenReturn(mockRole(releaseNamespaceRoleName));
 
@@ -92,11 +92,11 @@ public class RoleInitializationServiceTest extends AbstractUnitTest {
   @Test
   public void testInitNamespaceRoleNotExisted(){
 
-    String modifyNamespaceRoleName = RoleUtils.buildModifyNamespaceRoleName(APP_ID, NAMESPACE, null);
+    String modifyNamespaceRoleName = RoleUtils.buildModifyNamespaceRoleName(APP_ID, NAMESPACE);
     when(rolePermissionService.findRoleByRoleName(modifyNamespaceRoleName)).
         thenReturn(null);
 
-    String releaseNamespaceRoleName = RoleUtils.buildReleaseNamespaceRoleName(APP_ID, NAMESPACE, null);
+    String releaseNamespaceRoleName = RoleUtils.buildReleaseNamespaceRoleName(APP_ID, NAMESPACE);
     when(rolePermissionService.findRoleByRoleName(releaseNamespaceRoleName)).
         thenReturn(null);
 
@@ -113,11 +113,11 @@ public class RoleInitializationServiceTest extends AbstractUnitTest {
   @Test
   public void testInitNamespaceRoleModifyNSExisted(){
 
-    String modifyNamespaceRoleName = RoleUtils.buildModifyNamespaceRoleName(APP_ID, NAMESPACE, null);
+    String modifyNamespaceRoleName = RoleUtils.buildModifyNamespaceRoleName(APP_ID, NAMESPACE);
     when(rolePermissionService.findRoleByRoleName(modifyNamespaceRoleName)).
         thenReturn(mockRole(modifyNamespaceRoleName));
 
-    String releaseNamespaceRoleName = RoleUtils.buildReleaseNamespaceRoleName(APP_ID, NAMESPACE, null);
+    String releaseNamespaceRoleName = RoleUtils.buildReleaseNamespaceRoleName(APP_ID, NAMESPACE);
     when(rolePermissionService.findRoleByRoleName(releaseNamespaceRoleName)).
         thenReturn(null);
 
@@ -157,7 +157,7 @@ public class RoleInitializationServiceTest extends AbstractUnitTest {
   private Permission mockPermission(){
     Permission permission = new Permission();
     permission.setPermissionType(PermissionType.MODIFY_NAMESPACE);
-    permission.setTargetId(RoleUtils.buildNamespaceTargetId(APP_ID, NAMESPACE, null));
+    permission.setTargetId(RoleUtils.buildNamespaceTargetId(APP_ID, NAMESPACE));
     return permission;
   }