diff --git a/src/admin/controllers/permission.controller.ts b/src/admin/controllers/permission.controller.ts
new file mode 100644
index 0000000..e87100f
--- /dev/null
+++ b/src/admin/controllers/permission.controller.ts
@@ -0,0 +1,44 @@
+import BaseController from '../../common/base.controller'
+import { permission, router } from '../../decorators/router'
+import { ZError } from '../../common/ZError'
+import { AdminPermission } from '../../models/admin/AdminPermission'
+import { AdminRole } from '../../models/admin/AdminRole'
+
+class PermissionController extends BaseController {
+  @permission('permission:update')
+  @router('post /permission')
+  async saveRole(req) {
+    const { datas } = req.params
+    for (let data of datas) {
+      const record = (await AdminPermission.findOrCreate({_id: data._id})).doc;
+      record.name = data.name
+      record.actions = data.actions
+      await record.save()
+    }
+    return {}
+  }
+
+  @permission('permission:read')
+  // @role('sysadmin')
+  @router('get /permissions')
+  async roles(req) {
+    const user = req.user
+    const queryData: any = {}
+    if (!user.isSysAdmin()) {
+      queryData.show = true
+    }
+    const records = await AdminPermission.find(queryData)
+    return records.map(o => o.toJson())
+  }
+
+  @permission('permission:delete')
+  @router('delete /permission/:key')
+  async deleteRole(req) {
+    const { key } = req.params
+    if (!key) {
+      throw new ZError(10, 'record not found')
+    }
+    const result = await AdminPermission.deleteOne({ _id: key })
+    return { count: result.deletedCount }
+  }
+}
diff --git a/src/models/admin/AdminPermission.ts b/src/models/admin/AdminPermission.ts
new file mode 100644
index 0000000..f2d402c
--- /dev/null
+++ b/src/models/admin/AdminPermission.ts
@@ -0,0 +1,43 @@
+
+import {
+  getModelForClass,
+  index,
+  modelOptions,
+  prop
+} from '@typegoose/typegoose'
+import { dbconn } from 'decorators/dbconn'
+import { BaseModule } from '../Base'
+
+@dbconn()
+@index({ name: 1, action: 1 }, { unique: true })
+@modelOptions({schemaOptions: {collection: "admin_permission", _id: false, timestamps: true}})
+export class AdminPermissionClass extends BaseModule{
+  @prop()
+  public _id: string;
+
+  @prop()
+  public name: string;
+
+  @prop()
+  public actions: string[];
+
+
+  @prop()
+  public comment?: string;
+
+  @prop({default: true})
+  public show: boolean
+
+  public toJson() {
+    return {
+      id: this._id,
+      label: this.name,
+      children: this.actions.map(o=>{return {id: `${this._id}:${o}`, label: o}}),
+      comment: this.comment
+    }
+  }
+
+}
+
+
+export const AdminPermission = getModelForClass(AdminPermissionClass, {existingConnection: AdminPermissionClass.db});