diff --git a/backend/src/main/java/io/metersphere/controller/ProjectController.java b/backend/src/main/java/io/metersphere/controller/ProjectController.java
index 88abb511b5..061b53a3a0 100644
--- a/backend/src/main/java/io/metersphere/controller/ProjectController.java
+++ b/backend/src/main/java/io/metersphere/controller/ProjectController.java
@@ -7,6 +7,7 @@ import io.metersphere.base.domain.FileMetadata;
 import io.metersphere.base.domain.Project;
 import io.metersphere.commons.constants.OperLogConstants;
 import io.metersphere.commons.constants.OperLogModule;
+import io.metersphere.commons.constants.PermissionConstants;
 import io.metersphere.commons.utils.PageUtils;
 import io.metersphere.commons.utils.Pager;
 import io.metersphere.commons.utils.SessionUtils;
@@ -17,6 +18,7 @@ import io.metersphere.dto.WorkspaceMemberDTO;
 import io.metersphere.log.annotation.MsAuditLog;
 import io.metersphere.service.CheckPermissionService;
 import io.metersphere.service.ProjectService;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.multipart.MultipartFile;
 
@@ -72,6 +74,7 @@ public class ProjectController {
 
     @PostMapping("/add")
     @MsAuditLog(module = OperLogModule.PROJECT_PROJECT_MANAGER, type = OperLogConstants.CREATE, content = "#msClass.getLogDetails(#project.id)", msClass = ProjectService.class)
+    @RequiresPermissions(PermissionConstants.WORKSPACE_PROJECT_MANAGER_READ_CREATE)
     public Project addProject(@RequestBody AddProjectRequest project, HttpServletRequest request) {
         Project returnModel = projectService.addProject(project);
         //创建项目的时候默认增加Mock环境
@@ -99,12 +102,14 @@ public class ProjectController {
 
     @GetMapping("/delete/{projectId}")
     @MsAuditLog(module = OperLogModule.PROJECT_PROJECT_MANAGER, type = OperLogConstants.DELETE, beforeEvent = "#msClass.getLogDetails(#projectId)", msClass = ProjectService.class)
+    @RequiresPermissions(PermissionConstants.WORKSPACE_PROJECT_MANAGER_READ_DELETE)
     public void deleteProject(@PathVariable(value = "projectId") String projectId) {
         projectService.deleteProject(projectId);
     }
 
     @PostMapping("/update")
     @MsAuditLog(module = OperLogModule.PROJECT_PROJECT_MANAGER, type = OperLogConstants.UPDATE, beforeEvent = "#msClass.getLogDetails(#Project.id)", content = "#msClass.getLogDetails(#Project.id)", msClass = ProjectService.class)
+    @RequiresPermissions(PermissionConstants.WORKSPACE_PROJECT_MANAGER_READ_EDIT)
     public void updateProject(@RequestBody AddProjectRequest Project) {
         projectService.updateProject(Project);
     }