diff --git a/system/service/role.go b/system/service/role.go
index d9ec1fdc0..aa279d460 100644
--- a/system/service/role.go
+++ b/system/service/role.go
@@ -353,12 +353,19 @@ func (svc role) Update(ctx context.Context, upd *types.Role) (r *types.Role, err
 			return
 		}
 
+		raProps.setRole(r)
+
 		if svc.IsSystem(r) {
+			// prevent system role updates
+			// we need this here because of the clumsy way
+			// how rest endpoint handler is implemented ATM
+			if r.Handle == upd.Handle && r.Name == upd.Name {
+				// no change.
+				return nil
+			}
 			return RoleErrNotAllowedToUpdate()
 		}
 
-		raProps.setRole(r)
-
 		if err = svc.eventbus.WaitFor(ctx, event.RoleBeforeUpdate(upd, r)); err != nil {
 			return
 		}