diff --git a/internal/biz/account.go b/internal/biz/account.go
index ecaaca87..49641446 100644
--- a/internal/biz/account.go
+++ b/internal/biz/account.go
@@ -97,19 +97,20 @@ func authorize(user Account) (m map[string]interface{}, err error) {
 	if err != nil {
 		return
 	}
-	var roles []string
+	var roles, privilege []string
 	for _, v := range user.Roles {
 		roles = append(roles, v.Name)
+		r, _ := GetRole(v.Id)
+		privilege = append(privilege, r.Platform...)
 	}
+
 	m = util.MapStr{
 		"access_token": tokenString,
 		"username":     user.Username,
 		"id":           user.ID,
 		"expire_in":    86400,
 		"roles":        roles,
-		"privilege": []string{
-			"system.user:all", "system.role:all", "system.cluster:all", "system.command:all",
-		},
+		"privilege":    privilege,
 	}
 	return
 }
diff --git a/internal/biz/context.go b/internal/biz/context.go
index d6f41808..1a190cc2 100644
--- a/internal/biz/context.go
+++ b/internal/biz/context.go
@@ -31,7 +31,13 @@ func NewEsContext(ctx context.Context, role EsRole) {
 	//get user es role
 
 }
-func ValidateEsPermission(req, userRole EsRole) (err error) {
+
+type EsRequest struct {
+	Cluster []string `json:"cluster"`
+	Index   []string `json:"index"`
+}
+
+func ValidateEsPermission(req EsRequest, userRole EsRole) (err error) {
 	userClusterMap := make(map[string]struct{})
 	userIndexMap := make(map[string]struct{})
 	for _, v := range userRole.Cluster {
@@ -43,12 +49,12 @@ func ValidateEsPermission(req, userRole EsRole) (err error) {
 		}
 
 	}
-	//for _, v := range req.Cluster {
-	//	if _, ok := userClusterMap[v]; !ok {
-	//		err = errors.New("no cluster permission")
-	//		return
-	//	}
-	//}
+	for _, v := range req.Cluster {
+		if _, ok := userClusterMap[v]; !ok {
+			err = errors.New("no cluster permission")
+			return
+		}
+	}
 	//for _, v := range req.Index {
 	//	if _, ok := userClusterMap[v]; !ok {
 	//		err = errors.New("no index permission")