diff --git a/system/service/access_control.go b/system/service/access_control.go
index 8a712b8db..740cfd5c7 100644
--- a/system/service/access_control.go
+++ b/system/service/access_control.go
@@ -95,14 +95,25 @@ func (svc accessControl) FilterReadableRoles(ctx context.Context) *permissions.R
 }
 
 func (svc accessControl) CanUpdateRole(ctx context.Context, rl *types.Role) bool {
+	if rl.ID == permissions.EveryoneRoleID {
+		return false
+	}
+
 	return svc.can(ctx, rl, "update")
 }
 
 func (svc accessControl) CanDeleteRole(ctx context.Context, rl *types.Role) bool {
+	if rl.ID == permissions.EveryoneRoleID {
+		return false
+	}
+
 	return svc.can(ctx, rl, "delete")
 }
 
 func (svc accessControl) CanManageRoleMembers(ctx context.Context, rl *types.Role) bool {
+	if rl.ID == permissions.EveryoneRoleID {
+		return false
+	}
 	return svc.can(ctx, rl, "members.manage")
 }
 
diff --git a/system/service/role.go b/system/service/role.go
index fd63a2872..0fad62ae8 100644
--- a/system/service/role.go
+++ b/system/service/role.go
@@ -359,7 +359,12 @@ func (svc role) Membership(userID uint64) ([]*types.RoleMember, error) {
 }
 
 func (svc role) MemberList(roleID uint64) ([]*types.RoleMember, error) {
+	if roleID == permissions.EveryoneRoleID {
+		return nil, ErrInvalidID.withStack()
+	}
+
 	_, err := svc.findByID(roleID)
+
 	if err != nil {
 		return nil, err
 	}