diff --git a/backend/src/main/java/io/metersphere/api/controller/ApiTestEnvironmentController.java b/backend/src/main/java/io/metersphere/api/controller/ApiTestEnvironmentController.java
index 887c2149c9..1e2a97555a 100644
--- a/backend/src/main/java/io/metersphere/api/controller/ApiTestEnvironmentController.java
+++ b/backend/src/main/java/io/metersphere/api/controller/ApiTestEnvironmentController.java
@@ -11,6 +11,7 @@ import io.metersphere.api.service.CommandService;
 import io.metersphere.base.domain.ApiTestEnvironmentWithBLOBs;
 import io.metersphere.commons.constants.OperLogConstants;
 import io.metersphere.commons.constants.OperLogModule;
+import io.metersphere.commons.constants.PermissionConstants;
 import io.metersphere.commons.exception.MSException;
 import io.metersphere.commons.utils.LogUtil;
 import io.metersphere.commons.utils.PageUtils;
@@ -18,6 +19,7 @@ import io.metersphere.commons.utils.Pager;
 import io.metersphere.controller.request.EnvironmentRequest;
 import io.metersphere.i18n.Translator;
 import io.metersphere.log.annotation.MsAuditLog;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.multipart.MultipartFile;
 
@@ -64,6 +66,7 @@ public class ApiTestEnvironmentController {
     }
 
     @PostMapping("/add")
+    @RequiresPermissions(PermissionConstants.PROJECT_ENVIRONMENT_READ_CREATE)
     @MsAuditLog(module = OperLogModule.PROJECT_ENVIRONMENT_SETTING, type = OperLogConstants.CREATE, content = "#msClass.getLogDetails(#apiTestEnvironmentWithBLOBs.id)", msClass = ApiTestEnvironmentService.class)
     public String create(@RequestPart("request") ApiTestEnvironmentDTO apiTestEnvironmentWithBLOBs, @RequestPart(value = "files", required = false) List<MultipartFile> sslFiles) {
         checkParams(apiTestEnvironmentWithBLOBs);
@@ -71,6 +74,7 @@ public class ApiTestEnvironmentController {
     }
 
     @PostMapping(value = "/update")
+    @RequiresPermissions(PermissionConstants.PROJECT_ENVIRONMENT_READ_EDIT)
     @MsAuditLog(module = OperLogModule.PROJECT_ENVIRONMENT_SETTING, type = OperLogConstants.UPDATE, beforeEvent = "#msClass.getLogDetails(#apiTestEnvironment.id)", content = "#msClass.getLogDetails(#apiTestEnvironment.id)", msClass = ApiTestEnvironmentService.class)
     public void update(@RequestPart("request") ApiTestEnvironmentDTO apiTestEnvironment, @RequestPart(value = "files", required = false) List<MultipartFile> sslFiles) {
         checkParams(apiTestEnvironment);
@@ -105,6 +109,7 @@ public class ApiTestEnvironmentController {
     }
 
     @GetMapping("/delete/{id}")
+    @RequiresPermissions(PermissionConstants.PROJECT_ENVIRONMENT_READ_DELETE)
     @MsAuditLog(module = OperLogModule.PROJECT_ENVIRONMENT_SETTING, type = OperLogConstants.DELETE, beforeEvent = "#msClass.getLogDetails(#id)", msClass = ApiTestEnvironmentService.class)
     public void delete(@PathVariable String id) {
         apiTestEnvironmentService.delete(id);
diff --git a/backend/src/main/java/io/metersphere/controller/CustomFunctionController.java b/backend/src/main/java/io/metersphere/controller/CustomFunctionController.java
index 8867f206ae..737374214f 100644
--- a/backend/src/main/java/io/metersphere/controller/CustomFunctionController.java
+++ b/backend/src/main/java/io/metersphere/controller/CustomFunctionController.java
@@ -10,6 +10,8 @@ import io.metersphere.commons.utils.Pager;
 import io.metersphere.controller.request.CustomFunctionRequest;
 import io.metersphere.dto.MsExecResponseDTO;
 import io.metersphere.service.CustomFunctionService;
+import org.apache.shiro.authz.annotation.Logical;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.web.bind.annotation.*;
 
 import javax.annotation.Resource;
@@ -27,16 +29,19 @@ public class CustomFunctionController {
     private CustomFunctionService customFunctionService;
 
     @PostMapping("/save")
+    @RequiresPermissions("PROJECT_CUSTOM_CODE:READ+CREATE")
     public CustomFunctionWithBLOBs save(@RequestBody CustomFunctionRequest request) {
         return customFunctionService.save(request);
     }
 
     @GetMapping("/delete/{id}")
+    @RequiresPermissions("PROJECT_CUSTOM_CODE:READ+DELETE")
     public void delete(@PathVariable String id) {
         customFunctionService.delete(id);
     }
 
     @PostMapping("/update")
+    @RequiresPermissions("PROJECT_CUSTOM_CODE:READ+EDIT")
     public void update(@RequestBody CustomFunctionRequest request) {
         customFunctionService.update(request);
     }
@@ -48,6 +53,7 @@ public class CustomFunctionController {
     }
 
     @GetMapping("/copy/{id}")
+    @RequiresPermissions("PROJECT_CUSTOM_CODE:READ+COPY")
     public CustomFunctionWithBLOBs copy(@PathVariable String id) {
         return customFunctionService.copy(id);
     }
@@ -58,6 +64,7 @@ public class CustomFunctionController {
     }
 
     @PostMapping("/run")
+    @RequiresPermissions(value = {"PROJECT_CUSTOM_CODE:READ+CREATE", "PROJECT_CUSTOM_CODE:READ+EDIT", "PROJECT_CUSTOM_CODE:READ+COPY"}, logical = Logical.OR)
     public MsExecResponseDTO run(@RequestBody RunDefinitionRequest request) {
         return customFunctionService.run(request);
     }
diff --git a/backend/src/main/java/io/metersphere/controller/GroupController.java b/backend/src/main/java/io/metersphere/controller/GroupController.java
index 7c18632f0f..7cb4e58439 100644
--- a/backend/src/main/java/io/metersphere/controller/GroupController.java
+++ b/backend/src/main/java/io/metersphere/controller/GroupController.java
@@ -54,6 +54,7 @@ public class GroupController {
     }
 
     @GetMapping("/get/all")
+    @RequiresPermissions(value = {PermissionConstants.SYSTEM_GROUP_READ, PermissionConstants.SYSTEM_USER_READ}, logical = Logical.OR)
     public List<GroupDTO> getAllGroup() {
         return groupService.getAllGroup();
     }
@@ -161,6 +162,7 @@ public class GroupController {
     }
 
     @PostMapping("/edit/member")
+    @RequiresPermissions(value = {PermissionConstants.SYSTEM_GROUP_READ_EDIT, PermissionConstants.PROJECT_GROUP_READ_EDIT}, logical = Logical.OR)
     public void editGroupUser(@RequestBody EditGroupUserRequest request) {
         groupService.editGroupUser(request);
     }
diff --git a/backend/src/main/java/io/metersphere/controller/JarConfigController.java b/backend/src/main/java/io/metersphere/controller/JarConfigController.java
index d736cd5b7e..cd6141e6eb 100644
--- a/backend/src/main/java/io/metersphere/controller/JarConfigController.java
+++ b/backend/src/main/java/io/metersphere/controller/JarConfigController.java
@@ -7,6 +7,8 @@ import io.metersphere.commons.utils.Pager;
 import io.metersphere.controller.request.JarConfigRequest;
 import io.metersphere.log.annotation.MsAuditLog;
 import io.metersphere.service.JarConfigService;
+import org.apache.shiro.authz.annotation.Logical;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.multipart.MultipartFile;
 
@@ -21,33 +23,39 @@ public class JarConfigController {
     JarConfigService JarConfigService;
 
     @PostMapping("list/{goPage}/{pageSize}")
+    @RequiresPermissions(value = {"PROJECT_FILE:READ+JAR", "PROJECT_FILE:READ+FILE"}, logical = Logical.OR)
     public Pager<List<JarConfig>> list(@PathVariable int goPage, @PathVariable int pageSize, @RequestBody JarConfigRequest request) {
         return JarConfigService.list(request, goPage, pageSize);
     }
 
     @GetMapping("list/all")
+    @RequiresPermissions(value = {"PROJECT_FILE:READ+JAR", "PROJECT_FILE:READ+FILE"}, logical = Logical.OR)
     public List<JarConfig> listAll() {
         return JarConfigService.list();
     }
 
     @GetMapping("/get/{id}")
+    @RequiresPermissions(value = {"PROJECT_FILE:READ+JAR", "PROJECT_FILE:READ+FILE"}, logical = Logical.OR)
     public JarConfig get(@PathVariable String id) {
         return JarConfigService.get(id);
     }
 
     @PostMapping(value = "/add", consumes = {"multipart/form-data"})
+    @RequiresPermissions(value = {"PROJECT_FILE:READ+UPLOAD+JAR", "PROJECT_FILE:READ+UPLOAD+FILE"}, logical = Logical.OR)
     @MsAuditLog(module = OperLogModule.PROJECT_PROJECT_JAR, type = OperLogConstants.CREATE, content = "#msClass.getLogDetails(#request.id)", msClass = JarConfigService.class)
     public String add(@RequestPart("request") JarConfig request, @RequestPart(value = "file", required = false) MultipartFile file) {
         return JarConfigService.add(request, file);
     }
 
     @PostMapping(value = "/update", consumes = {"multipart/form-data"})
+    @RequiresPermissions(value = {"PROJECT_FILE:READ+UPLOAD+JAR", "PROJECT_FILE:READ+UPLOAD+FILE"}, logical = Logical.OR)
     @MsAuditLog(module = OperLogModule.PROJECT_PROJECT_JAR, type = OperLogConstants.UPDATE, beforeEvent = "#msClass.getLogDetails(#request.id)", content = "#msClass.getLogDetails(#request.id)", msClass = JarConfigService.class)
     public void update(@RequestPart("request") JarConfig request, @RequestPart(value = "file", required = false) MultipartFile file) {
         JarConfigService.update(request, file);
     }
 
     @GetMapping("/delete/{id}")
+    @RequiresPermissions(value = {"PROJECT_FILE:READ+DELETE+JAR", "PROJECT_FILE:READ+DELETE+FILE"}, logical = Logical.OR)
     @MsAuditLog(module = OperLogModule.PROJECT_PROJECT_JAR, type = OperLogConstants.DELETE, beforeEvent = "#msClass.getLogDetails(#id)", msClass = JarConfigService.class)
     public void delete(@PathVariable String id) {
         JarConfigService.delete(id);
diff --git a/backend/src/main/java/io/metersphere/controller/ProjectController.java b/backend/src/main/java/io/metersphere/controller/ProjectController.java
index 590175800c..940c6a479f 100644
--- a/backend/src/main/java/io/metersphere/controller/ProjectController.java
+++ b/backend/src/main/java/io/metersphere/controller/ProjectController.java
@@ -135,6 +135,7 @@ public class ProjectController {
     }
 
     @PostMapping("/member/update")
+    @RequiresPermissions("PROJECT_USER:READ+EDIT")
     @MsAuditLog(module = OperLogModule.PROJECT_PROJECT_MEMBER, type = OperLogConstants.UPDATE, beforeEvent = "#msClass.getLogDetails(#memberDTO)", content = "#msClass.getLogDetails(#memberDTO)", msClass = ProjectService.class)
     public void updateMember(@RequestBody WorkspaceMemberDTO memberDTO) {
         projectService.updateMember(memberDTO);
diff --git a/backend/src/main/java/io/metersphere/notice/controller/NoticeController.java b/backend/src/main/java/io/metersphere/notice/controller/NoticeController.java
index 9dbecfb157..2297648eea 100644
--- a/backend/src/main/java/io/metersphere/notice/controller/NoticeController.java
+++ b/backend/src/main/java/io/metersphere/notice/controller/NoticeController.java
@@ -2,10 +2,12 @@ package io.metersphere.notice.controller;
 
 import io.metersphere.commons.constants.OperLogConstants;
 import io.metersphere.commons.constants.OperLogModule;
+import io.metersphere.commons.constants.PermissionConstants;
 import io.metersphere.commons.utils.SessionUtils;
 import io.metersphere.log.annotation.MsAuditLog;
 import io.metersphere.notice.domain.MessageDetail;
 import io.metersphere.notice.service.NoticeService;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.web.bind.annotation.*;
 
 import javax.annotation.Resource;
@@ -18,6 +20,7 @@ public class NoticeController {
     private NoticeService noticeService;
 
     @PostMapping("save/message/task")
+    @RequiresPermissions(PermissionConstants.PROJECT_MESSAGE_READ_EDIT)
     @MsAuditLog(module = OperLogModule.WORKSPACE_MESSAGE_SETTINGS, type = OperLogConstants.UPDATE, beforeEvent = "#msClass.getLogDetails(#messageDetail.id)", content = "#msClass.getLogDetails(#messageDetail.id)", msClass = NoticeService.class)
     public void saveMessage(@RequestBody MessageDetail messageDetail) {
         noticeService.saveMessageTask(messageDetail);
@@ -35,6 +38,7 @@ public class NoticeController {
     }
 
     @GetMapping("/delete/message/{identification}")
+    @RequiresPermissions(PermissionConstants.PROJECT_MESSAGE_READ_EDIT)
     @MsAuditLog(module = OperLogModule.WORKSPACE_MESSAGE_SETTINGS, type = OperLogConstants.DELETE, beforeEvent = "#msClass.getLogDetails(#identification)", msClass = NoticeService.class)
     public int deleteMessage(@PathVariable String identification) {
         return noticeService.delMessage(identification);