diff --git a/internal/db/models/admin_dao.go b/internal/db/models/admin_dao.go
index 1b6efb41..f1a0d2ae 100644
--- a/internal/db/models/admin_dao.go
+++ b/internal/db/models/admin_dao.go
@@ -121,13 +121,19 @@ func (this *AdminDAO) UpdateAdminPassword(adminId int64, password string) error
 }
 
 // 创建管理员
-func (this *AdminDAO) CreateAdmin(username string, password string, fullname string) (int64, error) {
+func (this *AdminDAO) CreateAdmin(username string, password string, fullname string, isSuper bool, modulesJSON []byte) (int64, error) {
 	op := NewAdminOperator()
 	op.IsOn = true
 	op.State = AdminStateEnabled
 	op.Username = username
 	op.Password = stringutil.Md5(password)
 	op.Fullname = fullname
+	op.IsSuper = isSuper
+	if len(modulesJSON) > 0 {
+		op.Modules = modulesJSON
+	} else {
+		op.Modules = "[]"
+	}
 	_, err := this.Save(op)
 	if err != nil {
 		return 0, err
@@ -136,7 +142,7 @@ func (this *AdminDAO) CreateAdmin(username string, password string, fullname str
 }
 
 // 修改管理员个人资料
-func (this *AdminDAO) UpdateAdmin(adminId int64, fullname string) error {
+func (this *AdminDAO) UpdateAdminInfo(adminId int64, fullname string) error {
 	if adminId <= 0 {
 		return errors.New("invalid adminId")
 	}
@@ -147,6 +153,28 @@ func (this *AdminDAO) UpdateAdmin(adminId int64, fullname string) error {
 	return err
 }
 
+// 修改管理员详细信息
+func (this *AdminDAO) UpdateAdmin(adminId int64, username string, password string, fullname string, isSuper bool, modulesJSON []byte) error {
+	if adminId <= 0 {
+		return errors.New("invalid adminId")
+	}
+	op := NewAdminOperator()
+	op.Id = adminId
+	op.Fullname = fullname
+	op.Username = username
+	if len(password) > 0 {
+		op.Password = stringutil.Md5(password)
+	}
+	op.IsSuper = isSuper
+	if len(modulesJSON) > 0 {
+		op.Modules = modulesJSON
+	} else {
+		op.Modules = "[]"
+	}
+	_, err := this.Save(op)
+	return err
+}
+
 // 检查用户名是否存在
 func (this *AdminDAO) CheckAdminUsername(adminId int64, username string) (bool, error) {
 	query := this.Query().
@@ -172,3 +200,49 @@ func (this *AdminDAO) UpdateAdminLogin(adminId int64, username string, password
 	_, err := this.Save(op)
 	return err
 }
+
+// 修改管理员可以管理的模块
+func (this *AdminDAO) UpdateAdminModules(adminId int64, allowModulesJSON []byte) error {
+	if adminId <= 0 {
+		return errors.New("invalid adminId")
+	}
+	op := NewAdminOperator()
+	op.Id = adminId
+	op.Modules = allowModulesJSON
+	_, err := this.Save(op)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+// 查询所有管理的权限
+func (this *AdminDAO) FindAllAdminModules() (result []*Admin, err error) {
+	_, err = this.Query().
+		State(AdminStateEnabled).
+		Attr("isOn", true).
+		Result("id", "modules", "isSuper").
+		Slice(&result).
+		FindAll()
+	return
+}
+
+// 计算所有管理员数量
+func (this *AdminDAO) CountAllEnabledAdmins() (int64, error) {
+	return this.Query().
+		State(AdminStateEnabled).
+		Count()
+}
+
+// 列出单页的管理员
+func (this *AdminDAO) ListEnabledAdmins(offset int64, size int64) (result []*Admin, err error) {
+	_, err = this.Query().
+		State(AdminStateEnabled).
+		Result("id", "isOn", "username", "fullname", "isSuper", "createdAt").
+		Offset(offset).
+		Limit(size).
+		DescPk().
+		Slice(&result).
+		FindAll()
+	return
+}
diff --git a/internal/db/models/admin_model.go b/internal/db/models/admin_model.go
index ee186536..d0dab029 100644
--- a/internal/db/models/admin_model.go
+++ b/internal/db/models/admin_model.go
@@ -3,26 +3,28 @@ package models
 // 管理员
 type Admin struct {
 	Id        uint32 `field:"id"`        // ID
+	IsOn      uint8  `field:"isOn"`      // 是否启用
 	Username  string `field:"username"`  // 用户名
 	Password  string `field:"password"`  // 密码
 	Fullname  string `field:"fullname"`  // 全名
 	IsSuper   uint8  `field:"isSuper"`   // 是否为超级管理员
 	CreatedAt uint64 `field:"createdAt"` // 创建时间
 	UpdatedAt uint64 `field:"updatedAt"` // 修改时间
-	IsOn      uint8  `field:"isOn"`      // 是否启用
 	State     uint8  `field:"state"`     // 状态
+	Modules   string `field:"modules"`   // 允许的模块
 }
 
 type AdminOperator struct {
 	Id        interface{} // ID
+	IsOn      interface{} // 是否启用
 	Username  interface{} // 用户名
 	Password  interface{} // 密码
 	Fullname  interface{} // 全名
 	IsSuper   interface{} // 是否为超级管理员
 	CreatedAt interface{} // 创建时间
 	UpdatedAt interface{} // 修改时间
-	IsOn      interface{} // 是否启用
 	State     interface{} // 状态
+	Modules   interface{} // 允许的模块
 }
 
 func NewAdminOperator() *AdminOperator {
diff --git a/internal/rpc/services/service_admin.go b/internal/rpc/services/service_admin.go
index 5db59a8b..d5066a17 100644
--- a/internal/rpc/services/service_admin.go
+++ b/internal/rpc/services/service_admin.go
@@ -2,11 +2,13 @@ package services
 
 import (
 	"context"
+	"encoding/json"
 	"github.com/TeaOSLab/EdgeAPI/internal/db/models"
 	"github.com/TeaOSLab/EdgeAPI/internal/errors"
 	rpcutils "github.com/TeaOSLab/EdgeAPI/internal/rpc/utils"
 	"github.com/TeaOSLab/EdgeAPI/internal/utils"
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/TeaOSLab/EdgeCommon/pkg/systemconfigs"
 )
 
 type AdminService struct {
@@ -115,6 +117,8 @@ func (this *AdminService) FindEnabledAdmin(ctx context.Context, req *pb.FindEnab
 		return nil, err
 	}
 
+	// TODO 检查权限
+
 	admin, err := models.SharedAdminDAO.FindEnabledAdmin(req.AdminId)
 	if err != nil {
 		return nil, err
@@ -123,11 +127,29 @@ func (this *AdminService) FindEnabledAdmin(ctx context.Context, req *pb.FindEnab
 		return &pb.FindEnabledAdminResponse{Admin: nil}, nil
 	}
 
+	pbModules := []*pb.AdminModule{}
+	modules := []*systemconfigs.AdminModule{}
+	if len(admin.Modules) > 0 && admin.Modules != "null" {
+		err = json.Unmarshal([]byte(admin.Modules), &modules)
+		if err != nil {
+			return nil, err
+		}
+		for _, module := range modules {
+			pbModules = append(pbModules, &pb.AdminModule{
+				AllowAll: module.AllowAll,
+				Code:     module.Code,
+				Actions:  module.Actions,
+			})
+		}
+	}
+
 	result := &pb.Admin{
 		Id:       int64(admin.Id),
 		Fullname: admin.Fullname,
 		Username: admin.Username,
 		IsOn:     admin.IsOn == 1,
+		IsSuper:  admin.IsSuper == 1,
+		Modules:  pbModules,
 	}
 	return &pb.FindEnabledAdminResponse{Admin: result}, nil
 }
@@ -151,7 +173,7 @@ func (this *AdminService) CreateOrUpdateAdmin(ctx context.Context, req *pb.Creat
 		}
 		return &pb.CreateOrUpdateAdminResponse{AdminId: adminId}, nil
 	}
-	adminId, err = models.SharedAdminDAO.CreateAdmin(req.Username, req.Password, "管理员")
+	adminId, err = models.SharedAdminDAO.CreateAdmin(req.Username, req.Password, "管理员", true, nil)
 	if err != nil {
 		return nil, err
 	}
@@ -159,14 +181,14 @@ func (this *AdminService) CreateOrUpdateAdmin(ctx context.Context, req *pb.Creat
 }
 
 // 修改管理员信息
-func (this *AdminService) UpdateAdmin(ctx context.Context, req *pb.UpdateAdminRequest) (*pb.RPCSuccess, error) {
+func (this *AdminService) UpdateAdminInfo(ctx context.Context, req *pb.UpdateAdminInfoRequest) (*pb.RPCSuccess, error) {
 	// 校验请求
 	_, _, err := rpcutils.ValidateRequest(ctx, rpcutils.UserTypeAdmin, rpcutils.UserTypeAPI)
 	if err != nil {
 		return nil, err
 	}
 
-	err = models.SharedAdminDAO.UpdateAdmin(req.AdminId, req.Fullname)
+	err = models.SharedAdminDAO.UpdateAdminInfo(req.AdminId, req.Fullname)
 	if err != nil {
 		return nil, err
 	}
@@ -195,3 +217,142 @@ func (this *AdminService) UpdateAdminLogin(ctx context.Context, req *pb.UpdateAd
 	}
 	return this.Success()
 }
+
+// 获取所有管理员的权限列表
+func (this *AdminService) FindAllAdminModules(ctx context.Context, req *pb.FindAllAdminModulesRequest) (*pb.FindAllAdminModulesResponse, error) {
+	_, err := this.ValidateAdmin(ctx, 0)
+	if err != nil {
+		return nil, err
+	}
+
+	// TODO 检查权限
+
+	admins, err := models.SharedAdminDAO.FindAllAdminModules()
+	if err != nil {
+		return nil, err
+	}
+
+	result := []*pb.AdminModuleList{}
+	for _, admin := range admins {
+		modules := []*systemconfigs.AdminModule{}
+		if len(admin.Modules) > 0 && admin.Modules != "null" {
+			err = json.Unmarshal([]byte(admin.Modules), &modules)
+			if err != nil {
+				return nil, err
+			}
+		}
+		pbModules := []*pb.AdminModule{}
+		for _, module := range modules {
+			pbModules = append(pbModules, &pb.AdminModule{
+				AllowAll: module.AllowAll,
+				Code:     module.Code,
+				Actions:  module.Actions,
+			})
+		}
+
+		list := &pb.AdminModuleList{
+			AdminId: int64(admin.Id),
+			IsSuper: admin.IsSuper == 1,
+			Modules: pbModules,
+		}
+		result = append(result, list)
+	}
+
+	return &pb.FindAllAdminModulesResponse{AdminModules: result}, nil
+}
+
+// 创建管理员
+func (this *AdminService) CreateAdmin(ctx context.Context, req *pb.CreateAdminRequest) (*pb.CreateAdminResponse, error) {
+	_, err := this.ValidateAdmin(ctx, 0)
+	if err != nil {
+		return nil, err
+	}
+
+	// TODO 检查权限
+
+	adminId, err := models.SharedAdminDAO.CreateAdmin(req.Username, req.Password, req.Fullname, req.IsSuper, req.ModulesJSON)
+	if err != nil {
+		return nil, err
+	}
+	return &pb.CreateAdminResponse{AdminId: adminId}, nil
+}
+
+// 修改管理员
+func (this *AdminService) UpdateAdmin(ctx context.Context, req *pb.UpdateAdminRequest) (*pb.RPCSuccess, error) {
+	_, err := this.ValidateAdmin(ctx, 0)
+	if err != nil {
+		return nil, err
+	}
+
+	// TODO 检查权限
+
+	err = models.SharedAdminDAO.UpdateAdmin(req.AdminId, req.Username, req.Password, req.Fullname, req.IsSuper, req.ModulesJSON)
+	if err != nil {
+		return nil, err
+	}
+	return this.Success()
+}
+
+// 计算管理员数量
+func (this *AdminService) CountAllEnabledAdmins(ctx context.Context, req *pb.CountAllEnabledAdminsRequest) (*pb.RPCCountResponse, error) {
+	_, err := this.ValidateAdmin(ctx, 0)
+	if err != nil {
+		return nil, err
+	}
+
+	// TODO 检查权限
+
+	count, err := models.SharedAdminDAO.CountAllEnabledAdmins()
+	if err != nil {
+		return nil, err
+	}
+	return this.SuccessCount(count)
+}
+
+// 列出单页的管理员
+func (this *AdminService) ListEnabledAdmins(ctx context.Context, req *pb.ListEnabledAdminsRequest) (*pb.ListEnabledAdminsResponse, error) {
+	_, err := this.ValidateAdmin(ctx, 0)
+	if err != nil {
+		return nil, err
+	}
+
+	// TODO 检查权限
+
+	admins, err := models.SharedAdminDAO.ListEnabledAdmins(req.Offset, req.Size)
+	if err != nil {
+		return nil, err
+	}
+
+	result := []*pb.Admin{}
+	for _, admin := range admins {
+		result = append(result, &pb.Admin{
+			Id:        int64(admin.Id),
+			Fullname:  admin.Fullname,
+			Username:  admin.Username,
+			IsOn:      admin.IsOn == 1,
+			IsSuper:   admin.IsSuper == 1,
+			CreatedAt: int64(admin.CreatedAt),
+		})
+	}
+
+	return &pb.ListEnabledAdminsResponse{Admins: result}, nil
+}
+
+// 删除管理员
+func (this *AdminService) DeleteAdmin(ctx context.Context, req *pb.DeleteAdminRequest) (*pb.RPCSuccess, error) {
+	_, err := this.ValidateAdmin(ctx, 0)
+	if err != nil {
+		return nil, err
+	}
+
+	// TODO 检查权限
+
+	// TODO 超级管理员用户是不能删除的，或者要至少留一个超级管理员用户
+
+	_, err = models.SharedAdminDAO.DisableAdmin(req.AdminId)
+	if err != nil {
+		return nil, err
+	}
+
+	return this.Success()
+}