diff --git a/internal/db/models/http_auth_policy_dao.go b/internal/db/models/http_auth_policy_dao.go
index 000ef46a..4efad9d4 100644
--- a/internal/db/models/http_auth_policy_dao.go
+++ b/internal/db/models/http_auth_policy_dao.go
@@ -68,8 +68,9 @@ func (this *HTTPAuthPolicyDAO) FindEnabledHTTPAuthPolicy(tx *dbs.Tx, id int64) (
 }
 
 // CreateHTTPAuthPolicy 创建策略
-func (this *HTTPAuthPolicyDAO) CreateHTTPAuthPolicy(tx *dbs.Tx, name string, methodType string, paramsJSON []byte) (int64, error) {
+func (this *HTTPAuthPolicyDAO) CreateHTTPAuthPolicy(tx *dbs.Tx, userId int64, name string, methodType string, paramsJSON []byte) (int64, error) {
 	var op = NewHTTPAuthPolicyOperator()
+	op.UserId = userId
 	op.Name = name
 	op.Type = methodType
 	op.Params = paramsJSON
@@ -137,6 +138,20 @@ func (this *HTTPAuthPolicyDAO) ComposePolicyConfig(tx *dbs.Tx, policyId int64, c
 	return config, nil
 }
 
+// CheckUserPolicy 检查用户权限
+func (this *HTTPAuthPolicyDAO) CheckUserPolicy(tx *dbs.Tx, userId int64, policyId int64) error {
+	if userId <= 0 || policyId <= 0 {
+		return ErrNotFound
+	}
+
+	webId, err := SharedHTTPWebDAO.FindEnabledWebIdWithHTTPAuthPolicyId(tx, policyId)
+	if err != nil {
+		return err
+	}
+
+	return SharedHTTPWebDAO.CheckUserWeb(tx, userId, webId)
+}
+
 // NotifyUpdate 通知更改
 func (this *HTTPAuthPolicyDAO) NotifyUpdate(tx *dbs.Tx, policyId int64) error {
 	webId, err := SharedHTTPWebDAO.FindEnabledWebIdWithHTTPAuthPolicyId(tx, policyId)
diff --git a/internal/db/models/http_web_dao.go b/internal/db/models/http_web_dao.go
index fea3418f..9a4bf375 100644
--- a/internal/db/models/http_web_dao.go
+++ b/internal/db/models/http_web_dao.go
@@ -1042,6 +1042,10 @@ func (this *HTTPWebDAO) FindWebServerGroupId(tx *dbs.Tx, webId int64) (groupId i
 
 // CheckUserWeb 检查用户权限
 func (this *HTTPWebDAO) CheckUserWeb(tx *dbs.Tx, userId int64, webId int64) error {
+	if userId <= 0 || webId <= 0 {
+		return ErrNotFound
+	}
+
 	serverId, err := this.FindWebServerId(tx, webId)
 	if err != nil {
 		return err
diff --git a/internal/rpc/services/service_http_auth_policy.go b/internal/rpc/services/service_http_auth_policy.go
index 0dbd7a45..3a108e2c 100644
--- a/internal/rpc/services/service_http_auth_policy.go
+++ b/internal/rpc/services/service_http_auth_policy.go
@@ -15,13 +15,13 @@ type HTTPAuthPolicyService struct {
 
 // CreateHTTPAuthPolicy 创建策略
 func (this *HTTPAuthPolicyService) CreateHTTPAuthPolicy(ctx context.Context, req *pb.CreateHTTPAuthPolicyRequest) (*pb.CreateHTTPAuthPolicyResponse, error) {
-	_, err := this.ValidateAdmin(ctx)
+	_, userId, err := this.ValidateAdminAndUser(ctx)
 	if err != nil {
 		return nil, err
 	}
 
 	var tx = this.NullTx()
-	policyId, err := models.SharedHTTPAuthPolicyDAO.CreateHTTPAuthPolicy(tx, req.Name, req.Type, req.ParamsJSON)
+	policyId, err := models.SharedHTTPAuthPolicyDAO.CreateHTTPAuthPolicy(tx, userId, req.Name, req.Type, req.ParamsJSON)
 	if err != nil {
 		return nil, err
 	}
@@ -30,12 +30,21 @@ func (this *HTTPAuthPolicyService) CreateHTTPAuthPolicy(ctx context.Context, req
 
 // UpdateHTTPAuthPolicy 修改策略
 func (this *HTTPAuthPolicyService) UpdateHTTPAuthPolicy(ctx context.Context, req *pb.UpdateHTTPAuthPolicyRequest) (*pb.RPCSuccess, error) {
-	_, err := this.ValidateAdmin(ctx)
+	_, userId, err := this.ValidateAdminAndUser(ctx)
 	if err != nil {
 		return nil, err
 	}
 
 	var tx = this.NullTx()
+
+	// 检查用户权限
+	if userId > 0 {
+		err = models.SharedHTTPAuthPolicyDAO.CheckUserPolicy(tx, userId, req.HttpAuthPolicyId)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	err = models.SharedHTTPAuthPolicyDAO.UpdateHTTPAuthPolicy(tx, req.HttpAuthPolicyId, req.Name, req.ParamsJSON, req.IsOn)
 	if err != nil {
 		return nil, err
@@ -45,12 +54,21 @@ func (this *HTTPAuthPolicyService) UpdateHTTPAuthPolicy(ctx context.Context, req
 
 // FindEnabledHTTPAuthPolicy 查找策略信息
 func (this *HTTPAuthPolicyService) FindEnabledHTTPAuthPolicy(ctx context.Context, req *pb.FindEnabledHTTPAuthPolicyRequest) (*pb.FindEnabledHTTPAuthPolicyResponse, error) {
-	_, err := this.ValidateAdmin(ctx)
+	_, userId, err := this.ValidateAdminAndUser(ctx)
 	if err != nil {
 		return nil, err
 	}
 
 	var tx = this.NullTx()
+
+	// 检查用户权限
+	if userId > 0 {
+		err = models.SharedHTTPAuthPolicyDAO.CheckUserPolicy(tx, userId, req.HttpAuthPolicyId)
+		if err != nil {
+			return nil, err
+		}
+	}
+
 	policy, err := models.SharedHTTPAuthPolicyDAO.FindEnabledHTTPAuthPolicy(tx, req.HttpAuthPolicyId)
 	if err != nil {
 		return nil, err