diff --git a/backend/src/main/java/io/metersphere/controller/ProjectController.java b/backend/src/main/java/io/metersphere/controller/ProjectController.java
index acf07500a0..a9d414afb4 100644
--- a/backend/src/main/java/io/metersphere/controller/ProjectController.java
+++ b/backend/src/main/java/io/metersphere/controller/ProjectController.java
@@ -3,9 +3,11 @@ package io.metersphere.controller;
 import com.github.pagehelper.Page;
 import com.github.pagehelper.PageHelper;
 import io.metersphere.base.domain.Project;
+import io.metersphere.commons.constants.RoleConstants;
 import io.metersphere.commons.utils.PageUtils;
 import io.metersphere.commons.utils.Pager;
 import io.metersphere.service.ProjectService;
+import org.apache.shiro.authz.annotation.RequiresRoles;
 import org.springframework.web.bind.annotation.*;
 
 import javax.annotation.Resource;
@@ -24,22 +26,26 @@ public class ProjectController {
     }
 
     @PostMapping("/add")
+    @RequiresRoles(RoleConstants.TEST_MANAGER)
     public Project addProject(@RequestBody Project project) {
         return projectService.addProject(project);
     }
 
     @PostMapping("/list/{goPage}/{pageSize}")
+    @RequiresRoles(RoleConstants.TEST_MANAGER)
     public Pager<List<Project>> getProjectList(@PathVariable int goPage, @PathVariable int pageSize) {
         Page<Object> page = PageHelper.startPage(goPage, pageSize, true);
         return PageUtils.setPageInfo(page, projectService.getProjectList());
     }
 
     @GetMapping("/delete/{projectId}")
+    @RequiresRoles(RoleConstants.TEST_MANAGER)
     public void deleteProject(@PathVariable(value = "projectId") String projectId) {
         projectService.deleteProject(projectId);
     }
 
     @PostMapping("/update")
+    @RequiresRoles(RoleConstants.TEST_MANAGER)
     public void updateProject(@RequestBody Project Project) {
         projectService.updateProject(Project);
     }
diff --git a/backend/src/main/java/io/metersphere/controller/WorkspaceController.java b/backend/src/main/java/io/metersphere/controller/WorkspaceController.java
index 082dc96c12..c43cffb329 100644
--- a/backend/src/main/java/io/metersphere/controller/WorkspaceController.java
+++ b/backend/src/main/java/io/metersphere/controller/WorkspaceController.java
@@ -3,9 +3,11 @@ package io.metersphere.controller;
 import com.github.pagehelper.Page;
 import com.github.pagehelper.PageHelper;
 import io.metersphere.base.domain.Workspace;
+import io.metersphere.commons.constants.RoleConstants;
 import io.metersphere.commons.utils.PageUtils;
 import io.metersphere.commons.utils.Pager;
 import io.metersphere.service.WorkspaceService;
+import org.apache.shiro.authz.annotation.RequiresRoles;
 import org.springframework.web.bind.annotation.*;
 
 import javax.annotation.Resource;
@@ -18,16 +20,19 @@ public class WorkspaceController {
     private WorkspaceService workspaceService;
 
     @PostMapping("save")
+    @RequiresRoles(RoleConstants.ORG_ADMIN)
     public Workspace saveWorkspace(@RequestBody Workspace workspace) {
         return workspaceService.saveWorkspace(workspace);
     }
 
     @GetMapping("delete/{workspaceId}")
+    @RequiresRoles(RoleConstants.ORG_ADMIN)
     public void saveWorkspace(@PathVariable String workspaceId) {
         workspaceService.deleteWorkspace(workspaceId);
     }
 
     @PostMapping("list/{goPage}/{pageSize}")
+    @RequiresRoles(RoleConstants.ORG_ADMIN)
     public Pager<List<Workspace>> getWorkspaceList(@PathVariable int goPage, @PathVariable int pageSize) {
         Page<Object> page = PageHelper.startPage(goPage, pageSize, true);
         return PageUtils.setPageInfo(page, workspaceService.getWorkspaceList());