diff --git a/hz-pm-api/src/main/java/com/hz/pm/api/App.java b/hz-pm-api/src/main/java/com/hz/pm/api/App.java
index 3a5063b..86d9fcb 100644
--- a/hz-pm-api/src/main/java/com/hz/pm/api/App.java
+++ b/hz-pm-api/src/main/java/com/hz/pm/api/App.java
@@ -11,6 +11,8 @@ import org.springframework.context.annotation.ComponentScan;
 import org.springframework.context.annotation.EnableAspectJAutoProxy;
 import org.springframework.scheduling.annotation.EnableAsync;
 import org.springframework.scheduling.annotation.EnableScheduling;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.transaction.annotation.EnableTransactionManagement;
 
@@ -21,6 +23,7 @@ import org.springframework.transaction.annotation.EnableTransactionManagement;
 @EnableAsync
 @MapperScan(App.MAPPER_PACKAGES)
 @EnableScheduling
+@EnableMethodSecurity
 @EnableTransactionManagement
 @EnableAspectJAutoProxy(exposeProxy = true)
 @ComponentScan(basePackages = {"com.hz.pm", "com.ningdatech.irs"})
diff --git a/hz-pm-api/src/main/java/com/hz/pm/api/sys/controller/MenuController.java b/hz-pm-api/src/main/java/com/hz/pm/api/sys/controller/MenuController.java
index 1704fbf..e83ba43 100644
--- a/hz-pm-api/src/main/java/com/hz/pm/api/sys/controller/MenuController.java
+++ b/hz-pm-api/src/main/java/com/hz/pm/api/sys/controller/MenuController.java
@@ -21,6 +21,7 @@ import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.*;
 
@@ -92,6 +93,7 @@ public class MenuController {
     @ApiOperation(value = "保存新菜单", notes = "保存新菜单")
     @PostMapping("/save")
     @WebLog("保存菜单")
+    @PreAuthorize("hasAuthority('SUPER_ADMIN')")
     public MenuVO handlerSave(@Valid @RequestBody MenuSaveDTO data) {
         menuService.save(data, LoginUserUtil.getUserId());
         return BeanUtil.toBean(data, MenuVO.class);
@@ -100,6 +102,7 @@ public class MenuController {
     @ApiOperation(value = "编辑菜单", notes = "编辑菜单")
     @PostMapping("/modify")
     @WebLog("编辑菜单")
+    @PreAuthorize("hasAuthority('SUPER_ADMIN')")
     public MenuVO handlerUpdate(@RequestBody MenuUpdateDTO data) {
         menuService.update(data, LoginUserUtil.getUserId());
         return BeanUtil.toBean(data, MenuVO.class);
@@ -108,6 +111,7 @@ public class MenuController {
     @ApiOperation(value = "删除菜单", notes = "删除菜单")
     @PostMapping("/remove")
     @WebLog("删除菜单")
+    @PreAuthorize("hasAuthority('SUPER_ADMIN')")
     public Boolean handlerDelete(@RequestBody List<Long> ids) {
         return menuService.removeByIdWithCache(ids);
     }
diff --git a/hz-pm-api/src/main/java/com/hz/pm/api/sys/controller/RoleController.java b/hz-pm-api/src/main/java/com/hz/pm/api/sys/controller/RoleController.java
index 0a9c057..31e6e97 100644
--- a/hz-pm-api/src/main/java/com/hz/pm/api/sys/controller/RoleController.java
+++ b/hz-pm-api/src/main/java/com/hz/pm/api/sys/controller/RoleController.java
@@ -2,8 +2,6 @@ package com.hz.pm.api.sys.controller;
 
 import cn.hutool.core.bean.BeanUtil;
 import cn.hutool.core.lang.Assert;
-import com.ningdatech.basic.model.PageVo;
-import com.ningdatech.log.annotation.WebLog;
 import com.hz.pm.api.common.util.BizUtils;
 import com.hz.pm.api.sys.manage.RoleManage;
 import com.hz.pm.api.sys.model.dto.MenuDataScopeDTO;
@@ -14,10 +12,13 @@ import com.hz.pm.api.sys.model.req.RolePageReq;
 import com.hz.pm.api.sys.model.vo.RoleVO;
 import com.hz.pm.api.sys.service.IRoleService;
 import com.hz.pm.api.user.util.LoginUserUtil;
+import com.ningdatech.basic.model.PageVo;
+import com.ningdatech.log.annotation.WebLog;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.*;
 
@@ -73,6 +74,7 @@ public class RoleController {
     @ApiOperation(value = "保存新角色", notes = "保存新角色")
     @PostMapping("/save")
     @WebLog("保存新角色")
+    @PreAuthorize("hasAuthority('SUPER_ADMIN')")
     public RoleVO handlerSave(@Valid @RequestBody RoleSaveDTO data) {
         roleService.saveRole(data, LoginUserUtil.getUserId());
         return BeanUtil.toBean(data, RoleVO.class);
@@ -81,6 +83,7 @@ public class RoleController {
     @ApiOperation(value = "编辑角色", notes = "编辑角色")
     @PostMapping("/modify")
     @WebLog("编辑角色")
+    @PreAuthorize("hasAuthority('SUPER_ADMIN')")
     public RoleVO handlerUpdate(@Valid @RequestBody RoleUpdateDTO data) {
         roleService.updateRole(data, LoginUserUtil.getUserId());
         return BeanUtil.toBean(data, RoleVO.class);
@@ -89,6 +92,7 @@ public class RoleController {
     @ApiOperation(value = "删除角色", notes = "删除角色")
     @PostMapping("/remove")
     @WebLog("删除角色")
+    @PreAuthorize("hasAuthority('SUPER_ADMIN')")
     public Boolean handlerDelete(@Valid @RequestBody List<Long> ids) {
         return roleService.removeByIdWithCache(ids);
     }
diff --git a/hz-pm-api/src/main/java/com/hz/pm/api/user/security/model/UserInfoDetails.java b/hz-pm-api/src/main/java/com/hz/pm/api/user/security/model/UserInfoDetails.java
index d424211..720c00b 100644
--- a/hz-pm-api/src/main/java/com/hz/pm/api/user/security/model/UserInfoDetails.java
+++ b/hz-pm-api/src/main/java/com/hz/pm/api/user/security/model/UserInfoDetails.java
@@ -1,7 +1,7 @@
 package com.hz.pm.api.user.security.model;
 
 import cn.hutool.core.collection.CollUtil;
-import cn.hutool.core.collection.CollectionUtil;
+import cn.hutool.core.util.StrUtil;
 import com.hz.pm.api.sys.model.entity.Role;
 import com.hz.pm.api.user.model.enumeration.RoleEnum;
 import com.ningdatech.basic.auth.AbstractLoginUser;
@@ -75,7 +75,13 @@ public class UserInfoDetails extends AbstractLoginUser implements UserDetails {
         if (CollUtil.isNotEmpty(this.userRoleList)) {
             List<SimpleGrantedAuthority> authorities = new ArrayList<>();
             for (Role role : this.userRoleList) {
-                authorities.add(new SimpleGrantedAuthority(role.getCode()));
+                String roleCode;
+                if (StrUtil.isBlank(role.getCode())) {
+                    roleCode = String.valueOf(role.getId());
+                } else {
+                    roleCode = role.getCode();
+                }
+                authorities.add(new SimpleGrantedAuthority(roleCode));
             }
             return authorities;
         }
@@ -149,7 +155,7 @@ public class UserInfoDetails extends AbstractLoginUser implements UserDetails {
         return Boolean.FALSE;
     }
 
-    public List<Long> getRoleIds(){
+    public List<Long> getRoleIds() {
         if (this.userRoleList != null && !this.userRoleList.isEmpty()) {
             return this.userRoleList.stream().map(Role::getId).collect(Collectors.toList());
         }