diff --git a/weed/iamapi/iamapi_management_handlers.go b/weed/iamapi/iamapi_management_handlers.go
index 78c580821..5449a5d9f 100644
--- a/weed/iamapi/iamapi_management_handlers.go
+++ b/weed/iamapi/iamapi_management_handlers.go
@@ -219,6 +219,8 @@ func (iama *IamApiServer) DeleteUser(s3cfg *iam_pb.S3ApiConfiguration, userName
 				}
 			}
 			s3cfg.Identities = append(s3cfg.Identities[:i], s3cfg.Identities[i+1:]...)
+			// Remove user from all groups
+			removeUserFromAllGroups(s3cfg, userName)
 			return resp, nil
 		}
 	}
@@ -258,6 +260,8 @@ func (iama *IamApiServer) UpdateUser(s3cfg *iam_pb.S3ApiConfiguration, values ur
 						}
 					}
 				}
+				// Update group membership references
+				updateUserInGroups(s3cfg, userName, newUserName)
 				return resp, nil
 			}
 		}
diff --git a/weed/s3api/s3api_embedded_iam.go b/weed/s3api/s3api_embedded_iam.go
index a33d0c57e..320d8e22e 100644
--- a/weed/s3api/s3api_embedded_iam.go
+++ b/weed/s3api/s3api_embedded_iam.go
@@ -315,6 +315,15 @@ func (e *EmbeddedIamApi) DeleteUser(s3cfg *iam_pb.S3ApiConfiguration, userName s
 				}
 			}
 			s3cfg.Identities = append(s3cfg.Identities[:i], s3cfg.Identities[i+1:]...)
+			// Remove user from all groups
+			for _, g := range s3cfg.Groups {
+				for j, m := range g.Members {
+					if m == userName {
+						g.Members = append(g.Members[:j], g.Members[j+1:]...)
+						break
+					}
+				}
+			}
 			return resp, nil
 		}
 	}
@@ -342,6 +351,15 @@ func (e *EmbeddedIamApi) UpdateUser(s3cfg *iam_pb.S3ApiConfiguration, values url
 		for _, ident := range s3cfg.Identities {
 			if userName == ident.Name {
 				ident.Name = newUserName
+				// Update group membership references
+				for _, g := range s3cfg.Groups {
+					for j, m := range g.Members {
+						if m == userName {
+							g.Members[j] = newUserName
+							break
+						}
+					}
+				}
 				return resp, nil
 			}
 		}