diff --git a/object/check.go b/object/check.go
index ecc61758..7c8889f8 100644
--- a/object/check.go
+++ b/object/check.go
@@ -361,6 +361,8 @@ func CheckLoginPermission(userId string, application *Application) (bool, error)
 		return false, err
 	}
 
+	allowPermissionCount := 0
+	denyPermissionCount := 0
 	allowCount := 0
 	denyCount := 0
 	for _, permission := range permissions {
@@ -368,8 +370,13 @@ func CheckLoginPermission(userId string, application *Application) (bool, error)
 			continue
 		}
 
-		if permission.isUserHit(userId) {
-			allowCount += 1
+		if !permission.isUserHit(userId) {
+			if permission.Effect == "Allow" {
+				allowPermissionCount += 1
+			} else {
+				denyPermissionCount += 1
+			}
+			continue
 		}
 
 		enforcer := getPermissionEnforcer(permission)
@@ -391,8 +398,18 @@ func CheckLoginPermission(userId string, application *Application) (bool, error)
 		}
 	}
 
+	// Deny-override, if one deny is found, then deny
 	if denyCount > 0 {
 		return false, nil
+	} else if allowCount > 0 {
+		return true, nil
+	}
+
+	// For no-allow and no-deny condition
+	// If only allow permissions exist, we suppose it's Deny-by-default, aka no-allow means deny
+	// Otherwise, it's Allow-by-default, aka no-deny means allow
+	if allowPermissionCount > 0 && denyPermissionCount == 0 {
+		return false, nil
 	}
 	return true, nil
 }
diff --git a/object/permission.go b/object/permission.go
index 4d6bd78e..9e193f38 100644
--- a/object/permission.go
+++ b/object/permission.go
@@ -424,10 +424,10 @@ func (p *Permission) GetId() string {
 }
 
 func (p *Permission) isUserHit(name string) bool {
-	targetOrg, _ := util.GetOwnerAndNameFromId(name)
+	targetOrg, targetName := util.GetOwnerAndNameFromId(name)
 	for _, user := range p.Users {
 		userOrg, userName := util.GetOwnerAndNameFromId(user)
-		if userOrg == targetOrg && userName == "*" {
+		if userOrg == targetOrg && (userName == "*" || userName == targetName) {
 			return true
 		}
 	}
@@ -436,7 +436,7 @@ func (p *Permission) isUserHit(name string) bool {
 
 func (p *Permission) isResourceHit(name string) bool {
 	for _, resource := range p.Resources {
-		if name == resource {
+		if resource == "*" || resource == name {
 			return true
 		}
 	}
diff --git a/web/src/PermissionEditPage.js b/web/src/PermissionEditPage.js
index 6a774eb6..75cd4007 100644
--- a/web/src/PermissionEditPage.js
+++ b/web/src/PermissionEditPage.js
@@ -277,7 +277,10 @@ class PermissionEditPage extends React.Component {
           <Col span={22} >
             <Select virtual={false} mode="multiple" style={{width: "100%"}} value={this.state.permission.users}
               onChange={(value => {this.updatePermissionField("users", value);})}
-              options={this.state.users.map((user) => Setting.getOption(`${user.owner}/${user.name}`, `${user.owner}/${user.name}`))}
+              options={[
+                Setting.getOption(i18next.t("organization:All"), "*"),
+                ...this.state.users.map((user) => Setting.getOption(`${user.owner}/${user.name}`, `${user.owner}/${user.name}`)),
+              ]}
             />
           </Col>
         </Row>
@@ -288,7 +291,10 @@ class PermissionEditPage extends React.Component {
           <Col span={22} >
             <Select virtual={false} mode="multiple" style={{width: "100%"}} value={this.state.permission.groups}
               onChange={(value => {this.updatePermissionField("groups", value);})}
-              options={this.state.groups.map((group) => Setting.getOption(`${group.owner}/${group.name}`, `${group.owner}/${group.name}`))}
+              options={[
+                Setting.getOption(i18next.t("organization:All"), "*"),
+                ...this.state.groups.map((group) => Setting.getOption(`${group.owner}/${group.name}`, `${group.owner}/${group.name}`)),
+              ]}
             />
           </Col>
         </Row>
@@ -299,8 +305,11 @@ class PermissionEditPage extends React.Component {
           <Col span={22} >
             <Select disabled={!this.hasRoleDefinition(this.state.model)} virtual={false} mode="multiple" style={{width: "100%"}} value={this.state.permission.roles}
               onChange={(value => {this.updatePermissionField("roles", value);})}
-              options={this.state.roles.filter(roles => (roles.owner !== this.state.roles.owner || roles.name !== this.state.roles.name)).map((permission) => Setting.getOption(`${permission.owner}/${permission.name}`, `${permission.owner}/${permission.name}`))
-              } />
+              options={[
+                Setting.getOption(i18next.t("organization:All"), "*"),
+                ...this.state.roles.filter(roles => (roles.owner !== this.state.roles.owner || roles.name !== this.state.roles.name)).map((permission) => Setting.getOption(`${permission.owner}/${permission.name}`, `${permission.owner}/${permission.name}`)),
+              ]}
+            />
           </Col>
         </Row>
         <Row style={{marginTop: "20px"}} >
@@ -312,8 +321,11 @@ class PermissionEditPage extends React.Component {
               onChange={(value => {
                 this.updatePermissionField("domains", value);
               })}
-              options={this.state.permission.domains.map((domain) => Setting.getOption(domain, domain))
-              } />
+              options={[
+                Setting.getOption(i18next.t("organization:All"), "*"),
+                ...this.state.permission.domains.map((domain) => Setting.getOption(domain, domain)),
+              ]}
+            />
           </Col>
         </Row>
         <Row style={{marginTop: "20px"}} >
@@ -340,8 +352,11 @@ class PermissionEditPage extends React.Component {
           <Col span={22} >
             <Select virtual={false} mode={(this.state.permission.resourceType === "Custom") ? "tags" : "multiple"} style={{width: "100%"}} value={this.state.permission.resources}
               onChange={(value => {this.updatePermissionField("resources", value);})}
-              options={this.state.resources.map((resource) => Setting.getOption(`${resource.name}`, `${resource.name}`))
-              } />
+              options={[
+                Setting.getOption(i18next.t("organization:All"), "*"),
+                ...this.state.resources.map((resource) => Setting.getOption(`${resource.name}`, `${resource.name}`)),
+              ]}
+            />
           </Col>
         </Row>
         <Row style={{marginTop: "20px"}} >