diff --git a/src/models/node_role.go b/src/models/node_role.go
index fdb81217..0d77800a 100644
--- a/src/models/node_role.go
+++ b/src/models/node_role.go
@@ -34,6 +34,13 @@ func NodeRoleDel(nodeId, roleId int64, username string) error {
 	return err
 }
 
+// RoleIdsBindingUsername
+func RoleIdsBindingUsername(username string, nids []int64) ([]int64, error) {
+	var ids []int64
+	err := DB["rdb"].Table("node_role").Where("username=?", username).In("node_id", nids).Select("role_id").Find(&ids)
+	return ids, err
+}
+
 // NodeIdsBindingUsername 某人在哪些节点配置过权限
 func NodeIdsBindingUsername(username string) ([]int64, error) {
 	var ids []int64
diff --git a/src/models/user.go b/src/models/user.go
index c4ef239e..699ef852 100644
--- a/src/models/user.go
+++ b/src/models/user.go
@@ -703,3 +703,32 @@ func UsersGet(where string, args ...interface{}) ([]User, error) {
 
 	return objs, nil
 }
+
+func (u *User) PermByNode(node *Node) ([]string, error) {
+	// 我是超管，自然有权限
+	if u.IsRoot == 1 {
+		return config.LocalOpsList, nil
+	}
+
+	// 我是path上游的某个admin，自然有权限
+	nodeIds, err := NodeIdsByPaths(Paths(node.Path))
+	if err != nil {
+		return nil, err
+	}
+
+	if len(nodeIds) == 0 {
+		return nil, nil
+	}
+
+	if yes, err := NodesAdminExists(nodeIds, u.Id); err != nil {
+		return nil, err
+	} else if yes {
+		return config.LocalOpsList, nil
+	}
+
+	if roleIds, err := RoleIdsBindingUsername(u.Username, nodeIds); err != nil {
+		return nil, err
+	} else {
+		return OperationsOfRoles(roleIds)
+	}
+}
diff --git a/src/modules/rdb/config/ops.go b/src/modules/rdb/config/ops.go
index 0832e96e..9f2a6f3c 100644
--- a/src/modules/rdb/config/ops.go
+++ b/src/modules/rdb/config/ops.go
@@ -18,8 +18,9 @@ type opsStruct []struct {
 }
 
 var (
-	GlobalOps opsStruct
-	LocalOps  opsStruct
+	GlobalOps    opsStruct
+	LocalOps     opsStruct
+	LocalOpsList []string
 )
 
 func parseOps() error {
@@ -57,5 +58,18 @@ func parseOps() error {
 
 	LocalOps = lc
 
+	m := map[string]struct{}{}
+	for _, v := range lc {
+		for _, v2 := range v.Groups {
+			for _, v3 := range v2.Ops {
+				m[v3.En] = struct{}{}
+			}
+		}
+	}
+	LocalOpsList = []string{}
+	for k, _ := range m {
+		LocalOpsList = append(LocalOpsList, k)
+	}
+
 	return nil
 }
diff --git a/src/modules/rdb/http/router.go b/src/modules/rdb/http/router.go
index c189a702..4f2e885a 100644
--- a/src/modules/rdb/http/router.go
+++ b/src/modules/rdb/http/router.go
@@ -108,6 +108,7 @@ func Config(r *gin.Engine) {
 		userLogin.POST("/self/token", selfTokenPost)
 		userLogin.PUT("/self/token", selfTokenPut)
 		userLogin.GET("/self/perms/global", permGlobalOps)
+		userLogin.GET("/self/perms/local/node/:id", permLocalOps)
 
 		notLogin.PUT("/self/password", selfPasswordPut)
 
diff --git a/src/modules/rdb/http/router_self.go b/src/modules/rdb/http/router_self.go
index 03bc734d..0f5c47f5 100644
--- a/src/modules/rdb/http/router_self.go
+++ b/src/modules/rdb/http/router_self.go
@@ -119,6 +119,14 @@ func permGlobalOps(c *gin.Context) {
 	renderData(c, operations, err)
 }
 
+func permLocalOps(c *gin.Context) {
+	user := loginUser(c)
+	node := Node(urlParamInt64(c, "id"))
+
+	operations, err := user.PermByNode(node)
+	renderData(c, operations, err)
+}
+
 func v1PermGlobalOps(c *gin.Context) {
 	user, err := models.UserGet("username=?", queryStr(c, "username"))
 	dangerous(err)