diff --git a/internal/biz/account.go b/internal/biz/account.go
index a5bac517..ecaaca87 100644
--- a/internal/biz/account.go
+++ b/internal/biz/account.go
@@ -22,10 +22,9 @@ type UserClaims struct {
 	*User
 }
 type User struct {
-	Username  string   `json:"username"`
-	UserId    string   `json:"user_id"`
-	Roles     []string `json:"roles"`
-	Privilege []string `json:"privilege"`
+	Username string   `json:"username"`
+	UserId   string   `json:"user_id"`
+	Roles    []string `json:"roles"`
 }
 type Account struct {
 	ID       string          `json:"id,omitempty"     `
@@ -227,6 +226,7 @@ func ValidatePermission(claims *UserClaims, permissions []string) (err error) {
 			}
 		}
 	}
+
 	var count int
 	for _, v := range permissions {
 		if _, ok := userPermissionMap[v]; ok {
diff --git a/internal/biz/context.go b/internal/biz/context.go
index 2d4a8e49..d6f41808 100644
--- a/internal/biz/context.go
+++ b/internal/biz/context.go
@@ -21,3 +21,39 @@ func FromUserContext(ctx context.Context) (*User, error) {
 	}
 	return reqUser.User, nil
 }
+
+//type EsRole struct {
+//	Cluster []string `json:"cluster,omitempty"`
+//	Index   []string `json:"index,omitempty"`
+//}
+
+func NewEsContext(ctx context.Context, role EsRole) {
+	//get user es role
+
+}
+func ValidateEsPermission(req, userRole EsRole) (err error) {
+	userClusterMap := make(map[string]struct{})
+	userIndexMap := make(map[string]struct{})
+	for _, v := range userRole.Cluster {
+		userClusterMap[v.Id] = struct{}{}
+	}
+	for _, val := range userRole.Index {
+		for _, v := range val.Name {
+			userIndexMap[v] = struct{}{}
+		}
+
+	}
+	//for _, v := range req.Cluster {
+	//	if _, ok := userClusterMap[v]; !ok {
+	//		err = errors.New("no cluster permission")
+	//		return
+	//	}
+	//}
+	//for _, v := range req.Index {
+	//	if _, ok := userClusterMap[v]; !ok {
+	//		err = errors.New("no index permission")
+	//		return
+	//	}
+	//}
+	return
+}
diff --git a/internal/biz/enum/const.go b/internal/biz/enum/const.go
index 6c657966..1ca72c11 100644
--- a/internal/biz/enum/const.go
+++ b/internal/biz/enum/const.go
@@ -16,7 +16,6 @@ var InstanceAll = []string{"instance::read", "instance::write"}
 
 var Admin []string
 var BuildRoles = make(map[string]map[string]interface{}, 0)
-var Permission = make(map[string][]string)
 
 func init() {
 	Admin = append(Admin, UserAll...)
diff --git a/internal/biz/permission.go b/internal/biz/permission.go
index 9ac146a7..6128d4ad 100644
--- a/internal/biz/permission.go
+++ b/internal/biz/permission.go
@@ -4,7 +4,19 @@ var ClusterApis = make(map[string][]string)
 var IndexApis = make([]string, 0)
 
 var RolePermission = make(map[string][]string)
+var EsRolePermission = make(map[string]EsRole)
 
+type EsRole struct {
+	Cluster []struct {
+		Id   string `json:"id"`
+		Name string `json:"name"`
+	} `json:"cluster,omitempty"`
+	ClusterPrivilege []map[string][]string `json:"cluster_privilege,omitempty"`
+	Index            []struct {
+		Name      []string `json:"name"`
+		Privilege []string `json:"privilege"`
+	} `json:"index,omitempty"`
+}
 type ConsolePermisson struct {
 	Platform []Platform `json:"platform"`
 }
diff --git a/internal/biz/role.go b/internal/biz/role.go
index 0d15dce1..069b0780 100644
--- a/internal/biz/role.go
+++ b/internal/biz/role.go
@@ -135,7 +135,7 @@ func (role ElasticsearchRole) Create(localUser *User) (id string, err error) {
 		return
 	}
 
-	newRole := rbac.ElasticRole{
+	newRole := rbac.Role{
 		Name:        role.Name,
 		Description: role.Description,
 		RoleType:    role.RoleType,
diff --git a/internal/middleware/user.go b/internal/middleware/user.go
index 9b41edf8..fdfcf589 100644
--- a/internal/middleware/user.go
+++ b/internal/middleware/user.go
@@ -19,7 +19,19 @@ func LoginRequired(h httprouter.Handle) httprouter.Handle {
 		h(w, r, ps)
 	}
 }
+func EsPermissionReqired(h httprouter.Handle) httprouter.Handle {
 
+	return func(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
+
+		claims, err := biz.ValidateLogin(r.Header.Get("Authorization"))
+		if err != nil {
+			w = handleError(w, http.StatusUnauthorized, err)
+			return
+		}
+		r = r.WithContext(biz.NewUserContext(r.Context(), claims))
+		h(w, r, ps)
+	}
+}
 func PermissionRequired(h httprouter.Handle, permissions ...string) httprouter.Handle {
 	return func(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
 		claims, err := biz.ValidateLogin(r.Header.Get("Authorization"))
diff --git a/model/rbac/role.go b/model/rbac/role.go
index 012219fe..41fb8cf1 100644
--- a/model/rbac/role.go
+++ b/model/rbac/role.go
@@ -12,6 +12,15 @@ type Role struct {
 	Platform    []string `json:"platform,omitempty" `
 	BuiltIn     bool     `json:"builtin" elastic_mapping:"builtin:{type:boolean}"` //是否内置
 
+	Cluster []struct {
+		Id   string `json:"id"`
+		Name string `json:"name"`
+	} `json:"cluster,omitempty"`
+	ClusterPrivilege []map[string][]string `json:"cluster_privilege,omitempty"`
+	Index            []struct {
+		Name      []string `json:"name"`
+		Privilege []string `json:"privilege"`
+	} `json:"index,omitempty"`
 }
 type ConsolePermission struct {
 	Api  []string `json:"api"`
diff --git a/plugin/api/account/account.go b/plugin/api/account/account.go
index e7a03a12..d01f3a4f 100644
--- a/plugin/api/account/account.go
+++ b/plugin/api/account/account.go
@@ -103,20 +103,31 @@ func (h Account) Profile(w http.ResponseWriter, r *http.Request, ps httprouter.P
 		h.Error(w, err)
 		return
 	}
-	//user, err := biz.GetUser(reqUser.UserId)
-	//if err != nil {
-	//	h.Error(w, err)
-	//	return
-	//}
-	//TODO get user from es
-	u := util.MapStr{
-		"user_id":  reqUser.UserId,
-		"username": reqUser.Username,
-		"email":    "hello@infini.ltd",
 
-		"name": "admin",
+	if reqUser.UserId == "admin" {
+
+		u := util.MapStr{
+			"user_id":  "admin",
+			"username": "admin",
+			"email":    "admin@infini.ltd",
+			"name":     "admin",
+		}
+		h.WriteOKJSON(w, core.FoundResponse(reqUser.UserId, u))
+	} else {
+		user, err := biz.GetUser(reqUser.UserId)
+		if err != nil {
+			h.Error(w, err)
+			return
+		}
+		u := util.MapStr{
+			"user_id":  user.ID,
+			"username": user.Username,
+			"email":    user.Email,
+			"name":     user.Name,
+		}
+		h.WriteOKJSON(w, core.FoundResponse(reqUser.UserId, u))
 	}
-	h.WriteOKJSON(w, core.FoundResponse(reqUser.UserId, u))
+
 	return
 }
 func (h Account) UpdatePassword(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
diff --git a/plugin/api/rbac/api.go b/plugin/api/rbac/api.go
index 37845318..39dc2cd7 100644
--- a/plugin/api/rbac/api.go
+++ b/plugin/api/rbac/api.go
@@ -17,7 +17,7 @@ type Rbac struct {
 
 func registerRouter() {
 	r := Rbac{}
-	api.HandleAPIMethod(api.GET, "/permission/:type", m.PermissionRequired(r.ListPermission, enum.RoleRead...))
+	api.HandleAPIMethod(api.GET, "/permission/:type", r.ListPermission)
 	api.HandleAPIMethod(api.POST, "/role/:type", m.PermissionRequired(r.CreateRole, enum.RoleAll...))
 	api.HandleAPIMethod(api.GET, "/role/:id", m.PermissionRequired(r.GetRole, enum.RoleRead...))
 	api.HandleAPIMethod(api.DELETE, "/role/:id", m.PermissionRequired(r.DeleteRole, enum.RoleAll...))
@@ -55,10 +55,11 @@ func loadRolePermission() {
 	biz.RolePermission = make(map[string][]string)
 
 	biz.RolePermission["admin"] = enum.Admin
+
 }
 func init() {
 	registerRouter()
-
+	loadJsonConfig()
 	loadRolePermission()
 
 }