diff --git a/plugin/api/gateway/api.go b/plugin/api/gateway/api.go
index 7624624b..ab1ac7f4 100644
--- a/plugin/api/gateway/api.go
+++ b/plugin/api/gateway/api.go
@@ -6,6 +6,7 @@ package gateway
 
 import (
 	"infini.sh/framework/core/api"
+	"infini.sh/framework/core/api/rbac/enum"
 )
 
 type GatewayAPI struct {
@@ -15,12 +16,12 @@ type GatewayAPI struct {
 func init() {
 	gateway:=GatewayAPI{}
 	api.HandleAPIMethod(api.POST, "/gateway/instance/try_connect", gateway.tryConnect)
-	api.HandleAPIMethod(api.GET, "/gateway/instance/:instance_id", gateway.getInstance)
-	api.HandleAPIMethod(api.POST, "/gateway/instance", gateway.createInstance)
-	api.HandleAPIMethod(api.PUT, "/gateway/instance/:instance_id", gateway.updateInstance)
-	api.HandleAPIMethod(api.DELETE, "/gateway/instance/:instance_id", gateway.deleteInstance)
-	api.HandleAPIMethod(api.GET, "/gateway/instance/_search", gateway.searchInstance)
-	api.HandleAPIMethod(api.POST, "/gateway/instance/status", gateway.getInstanceStatus)
+	api.HandleAPIMethod(api.GET, "/gateway/instance/:instance_id", gateway.RequirePermission(gateway.getInstance, enum.PermissionGatewayInstanceRead))
+	api.HandleAPIMethod(api.POST, "/gateway/instance", gateway.RequirePermission(gateway.createInstance, enum.PermissionGatewayInstanceWrite))
+	api.HandleAPIMethod(api.PUT, "/gateway/instance/:instance_id", gateway.RequirePermission(gateway.updateInstance, enum.PermissionGatewayInstanceWrite))
+	api.HandleAPIMethod(api.DELETE, "/gateway/instance/:instance_id", gateway.RequirePermission(gateway.deleteInstance, enum.PermissionGatewayInstanceWrite))
+	api.HandleAPIMethod(api.GET, "/gateway/instance/_search", gateway.RequirePermission(gateway.searchInstance, enum.PermissionGatewayInstanceRead))
+	api.HandleAPIMethod(api.POST, "/gateway/instance/status", gateway.RequirePermission(gateway.getInstanceStatus, enum.PermissionGatewayInstanceRead))
 
-	api.HandleAPIMethod(api.POST, "/gateway/instance/:instance_id/_proxy", gateway.proxy)
+	api.HandleAPIMethod(api.POST, "/gateway/instance/:instance_id/_proxy", gateway.RequirePermission(gateway.proxy, enum.PermissionGatewayInstanceRead))
 }
diff --git a/plugin/api/init.go b/plugin/api/init.go
index 178e64ab..c69abd01 100644
--- a/plugin/api/init.go
+++ b/plugin/api/init.go
@@ -5,6 +5,7 @@ import (
 	"infini.sh/console/plugin/api/alerting"
 	"infini.sh/console/plugin/api/index_management"
 	"infini.sh/framework/core/api"
+	"infini.sh/framework/core/api/rbac/enum"
 	"path"
 )
 
@@ -15,7 +16,7 @@ func Init(cfg *config.AppConfig) {
 	}
 	var pathPrefix = "/_search-center/"
 	var esPrefix = "/elasticsearch/:id/"
-	api.HandleAPIMethod(api.GET, path.Join(pathPrefix, "elasticsearch/overview"), handler.ElasticsearchOverviewAction)
+	api.HandleAPIMethod(api.GET, path.Join(pathPrefix, "elasticsearch/overview"), handler.RequirePermission(handler.ElasticsearchOverviewAction, enum.PermissionElasticsearchMetricRead))
 	//api.HandleAPIMethod(api.POST, "/api/get_indices",index_management.API1)
 
 	api.HandleAPIMethod(api.GET, path.Join(pathPrefix, "dict/_search"), handler.GetDictListAction)
@@ -41,10 +42,10 @@ func Init(cfg *config.AppConfig) {
 	api.HandleAPIMethod(api.DELETE, path.Join(esPrefix, "index/:index"), handler.HandleDeleteIndexAction)
 	api.HandleAPIMethod(api.POST, path.Join(esPrefix, "index/:index"), handler.HandleCreateIndexAction)
 
-	api.HandleAPIMethod(api.POST, path.Join(pathPrefix, "elasticsearch/command"), handler.HandleAddCommonCommandAction)
-	api.HandleAPIMethod(api.PUT, path.Join(pathPrefix, "elasticsearch/command/:cid"), handler.HandleSaveCommonCommandAction)
-	api.HandleAPIMethod(api.GET, path.Join(pathPrefix, "elasticsearch/command"), handler.HandleQueryCommonCommandAction)
-	api.HandleAPIMethod(api.DELETE, path.Join(pathPrefix, "elasticsearch/command/:cid"), handler.HandleDeleteCommonCommandAction)
+	api.HandleAPIMethod(api.POST, path.Join(pathPrefix, "elasticsearch/command"), handler.RequirePermission(handler.HandleAddCommonCommandAction, enum.PermissionCommandWrite))
+	api.HandleAPIMethod(api.PUT, path.Join(pathPrefix, "elasticsearch/command/:cid"), handler.RequirePermission(handler.HandleSaveCommonCommandAction, enum.PermissionCommandWrite))
+	api.HandleAPIMethod(api.GET, path.Join(pathPrefix, "elasticsearch/command"), handler.RequirePermission(handler.HandleQueryCommonCommandAction, enum.PermissionCommandRead))
+	api.HandleAPIMethod(api.DELETE, path.Join(pathPrefix, "elasticsearch/command/:cid"), handler.RequirePermission(handler.HandleDeleteCommonCommandAction,enum.PermissionCommandWrite))
 
 	//task.RegisterScheduleTask(task.ScheduleTask{
 	//	Description: "sync reindex task result",