diff --git a/api/lib/perm/acl/resource.py b/api/lib/perm/acl/resource.py
index 6800820..40b1a6c 100644
--- a/api/lib/perm/acl/resource.py
+++ b/api/lib/perm/acl/resource.py
@@ -20,8 +20,20 @@ class ResourceTypeCRUD(object):
             query = query.filter(ResourceType.name.ilike('%{0}%'.format(q)))
 
         numfound = query.count()
+        res = query.offset((page - 1) * page_size).limit(page_size)
+        rt_ids = [i.id for i in res]
+        perms = db.session.query(Permission).filter(Permission.deleted.is_(False)).filter(
+            Permission.resource_type_id.in_(rt_ids))
+        id2perms = dict()
+        for perm in perms:
+            id2perms.setdefault(perm.resource_type_id, []).append(perm.to_dict())
 
-        return numfound, query.offset((page - 1) * page_size).limit(page_size)
+        return numfound, res, id2perms
+
+    @staticmethod
+    def get_perms(rt_id):
+        perms = Permission.get_by(resource_type_id=rt_id, to_dict=False)
+        return [i.to_dict() for i in perms]
 
     @classmethod
     def add(cls, app_id, name, perms):
@@ -36,6 +48,8 @@ class ResourceTypeCRUD(object):
 
     @classmethod
     def update(cls, rt_id, **kwargs):
+        kwargs.pop('app_id', None)
+
         rt = ResourceType.get_by_id(rt_id) or abort(404, "ResourceType <{0}> is not found".format(rt_id))
         if 'name' in kwargs:
             other = ResourceType.get_by(name=kwargs['name'], app_id=rt.app_id, to_dict=False, first=True)
diff --git a/api/lib/perm/acl/role.py b/api/lib/perm/acl/role.py
index 85a9c87..0764405 100644
--- a/api/lib/perm/acl/role.py
+++ b/api/lib/perm/acl/role.py
@@ -119,6 +119,8 @@ class RoleCRUD(object):
 
     @staticmethod
     def update_role(rid, **kwargs):
+        kwargs.pop('app_id', None)
+
         role = Role.get_by_id(rid) or abort(404, "Role <{0}> does not exist".format(rid))
 
         RoleCache.clean(rid)
diff --git a/api/views/acl/resources.py b/api/views/acl/resources.py
index 72876a5..4b7ddbb 100644
--- a/api/views/acl/resources.py
+++ b/api/views/acl/resources.py
@@ -24,12 +24,13 @@ class ResourceTypeView(APIView):
         q = request.values.get('q')
         app_id = request.values.get('app_id')
 
-        numfound, res = ResourceTypeCRUD.search(q, app_id, page, page_size)
+        numfound, res, id2perms = ResourceTypeCRUD.search(q, app_id, page, page_size)
 
         return self.jsonify(numfound=numfound,
                             page=page,
                             page_size=page_size,
-                            groups=[i.to_dict() for i in res])
+                            groups=[i.to_dict() for i in res],
+                            id2perms=id2perms)
 
     @args_required('name')
     @args_required('app_id')
@@ -40,7 +41,7 @@ class ResourceTypeView(APIView):
         app_id = request.values.get('app_id')
         perms = request.values.get('perms')
 
-        rt = ResourceTypeCRUD.add(name, app_id, perms)
+        rt = ResourceTypeCRUD.add(app_id, name, perms)
 
         return self.jsonify(rt.to_dict())
 
@@ -55,6 +56,13 @@ class ResourceTypeView(APIView):
         return self.jsonify(type_id=type_id)
 
 
+class ResourceTypePermsView(APIView):
+    url_prefix = "/resource_types/<int:type_id>/perms"
+
+    def get(self, type_id):
+        return self.jsonify(ResourceTypeCRUD.get_perms(type_id))
+
+
 class ResourceView(APIView):
     url_prefix = ("/resources", "/resources/<int:resource_id>")