actiontech · iwanghc · May 12, 2026 · May 8, 2026 · May 8, 2026 · May 8, 2026
diff --git a/api/dms/service/v1/user.go b/api/dms/service/v1/user.go
@@ -30,6 +30,8 @@ type User struct {
 	ThirdPartyUserID       string `json:"third_party_user_id"`
 	ThirdPartyUserInfo     string `json:"third_party_user_info"`
 	UserAuthenticationType string `json:"user_authentication_type"`
+	// Business write permission, only effective for system administrators
+	BusinessWritePermission *bool `json:"business_write_permission"`
 }
 
 // swagger:model
@@ -100,6 +102,8 @@ type UpdateUser struct {
 	UserAuthenticationType *string `json:"user_authentication_type"`
 	// User system
 	System *UserSystem `json:"system"`
+	// Business write permission for system administrators
+	BusinessWritePermission *bool `json:"business_write_permission"`
 }
 
 // swagger:model

diff --git a/api/swagger.json b/api/swagger.json
@@ -11204,7 +11204,7 @@
           "x-go-name": "Users"
         }
       },
-      "x-go-package": "github.com/actiontech/dms/api/dms/service/v1"
+      "x-go-package": "github.com/actiontech/dms/pkg/dms-common/api/dms/v1"
     },
     "GetMemberGroupReply": {
       "type": "object",
@@ -11627,6 +11627,11 @@
           "x-go-enum-desc": "ldap UserAuthenticationTypeLDAP\ndms UserAuthenticationTypeDMS\noauth2 UserAuthenticationTypeOAUTH2\nunknown UserAuthenticationTypeUnknown",
           "x-go-name": "AuthenticationType"
         },
+        "business_write_permission": {
+          "description": "business write permission",
+          "type": "boolean",
+          "x-go-name": "BusinessWritePermission"
+        },
         "email": {
           "description": "user email",
           "type": "string",
@@ -11769,6 +11774,11 @@
           "description": "user op permission reply\nis user admin, admin has all permissions",
           "type": "object",
           "properties": {
+            "business_write_permission": {
+              "description": "business write permission",
+              "type": "boolean",
+              "x-go-name": "BusinessWritePermission"
+            },
             "is_admin": {
               "type": "boolean",
               "x-go-name": "IsAdmin"
@@ -14835,6 +14845,11 @@
           "x-go-enum-desc": "ldap UserAuthenticationTypeLDAP\ndms UserAuthenticationTypeDMS\noauth2 UserAuthenticationTypeOAUTH2\nunknown UserAuthenticationTypeUnknown",
           "x-go-name": "AuthenticationType"
         },
+        "business_write_permission": {
+          "description": "business write permission",
+          "type": "boolean",
+          "x-go-name": "BusinessWritePermission"
+        },
         "email": {
           "description": "user email",
           "type": "string",
@@ -18602,6 +18617,11 @@
     "UpdateUser": {
       "type": "object",
       "properties": {
+        "business_write_permission": {
+          "description": "Business write permission for system administrators",
+          "type": "boolean",
+          "x-go-name": "BusinessWritePermission"
+        },
         "email": {
           "description": "User email",
           "type": "string",
@@ -18772,6 +18792,11 @@
         "name"
       ],
       "properties": {
+        "business_write_permission": {
+          "description": "Business write permission, only effective for system administrators",
+          "type": "boolean",
+          "x-go-name": "BusinessWritePermission"
+        },
         "desc": {
           "description": "user description",
           "type": "string",

diff --git a/api/swagger.yaml b/api/swagger.yaml
@@ -2273,7 +2273,7 @@ definitions:
                 type: array
                 x-go-name: Users
         type: object
-        x-go-package: github.com/actiontech/dms/api/dms/service/v1
+        x-go-package: github.com/actiontech/dms/pkg/dms-common/api/dms/v1
     GetMemberGroupReply:
         properties:
             code:
@@ -2599,6 +2599,10 @@ definitions:
                     oauth2 UserAuthenticationTypeOAUTH2
                     unknown UserAuthenticationTypeUnknown
                 x-go-name: AuthenticationType
+            business_write_permission:
+                description: business write permission
+                type: boolean
+                x-go-name: BusinessWritePermission
             email:
                 description: user email
                 type: string
@@ -2730,6 +2734,10 @@ definitions:
                     user op permission reply
                     is user admin, admin has all permissions
                 properties:
+                    business_write_permission:
+                        description: business write permission
+                        type: boolean
+                        x-go-name: BusinessWritePermission
                     is_admin:
                         type: boolean
                         x-go-name: IsAdmin
@@ -5242,6 +5250,10 @@ definitions:
                     oauth2 UserAuthenticationTypeOAUTH2
                     unknown UserAuthenticationTypeUnknown
                 x-go-name: AuthenticationType
+            business_write_permission:
+                description: business write permission
+                type: boolean
+                x-go-name: BusinessWritePermission
             email:
                 description: user email
                 type: string
@@ -8332,6 +8344,10 @@ definitions:
         x-go-package: github.com/actiontech/dms/pkg/dms-common/api/dms/v1
     UpdateUser:
         properties:
+            business_write_permission:
+                description: Business write permission for system administrators
+                type: boolean
+                x-go-name: BusinessWritePermission
             email:
                 description: User email
                 type: string
@@ -8461,6 +8477,10 @@ definitions:
     User:
         description: A user
         properties:
+            business_write_permission:
+                description: Business write permission, only effective for system administrators
+                type: boolean
+                x-go-name: BusinessWritePermission
             desc:
                 description: user description
                 type: string

diff --git a/internal/dms/biz/cloudbeaver.go b/internal/dms/biz/cloudbeaver.go
@@ -1323,7 +1323,7 @@ func (cu *CloudbeaverUsecase) connectManagement(ctx context.Context, cloudbeaver
 		return cu.clearConnection(ctx)
 	}
 
-	hasGlobalOpPermission, err := cu.opPermissionVerifyUsecase.CanOpGlobal(ctx, dmsUser.UID)
+	hasGlobalOpPermission, err := cu.opPermissionVerifyUsecase.CanOpGlobal(ctx, dmsUser.UID, true)
 	if err != nil {
 		return err
 	}

diff --git a/internal/dms/biz/environment_tag.go b/internal/dms/biz/environment_tag.go
@@ -82,7 +82,7 @@ func (uc *EnvironmentTagUsecase) CreateEnvironmentTag(ctx context.Context, proje
 	}
 
 	// 检查当前用户有项目管理员权限
-	if canOpProject, err := uc.opPermissionVerifyUsecase.CanOpProject(ctx, currentUserUid, projectUid); err != nil {
+	if canOpProject, err := uc.opPermissionVerifyUsecase.CanOpProject(ctx, currentUserUid, projectUid, false); err != nil {
 		return fmt.Errorf("check user is project admin or golobal op permission failed: %v", err)
 	} else if !canOpProject {
 		return fmt.Errorf("user is not project admin or golobal op permission user")
@@ -116,7 +116,7 @@ func (uc *EnvironmentTagUsecase) UpdateEnvironmentTag(ctx context.Context, proje
 	}
 
 	// 检查当前用户有项目管理员权限
-	if canOpProject, err := uc.opPermissionVerifyUsecase.CanOpProject(ctx, currentUserUid, projectUid); err != nil {
+	if canOpProject, err := uc.opPermissionVerifyUsecase.CanOpProject(ctx, currentUserUid, projectUid, false); err != nil {
 		return fmt.Errorf("check user is project admin or golobal op permission failed: %v", err)
 	} else if !canOpProject {
 		return fmt.Errorf("user is not project admin or golobal op permission user")
@@ -145,7 +145,7 @@ func (uc *EnvironmentTagUsecase) DeleteEnvironmentTag(ctx context.Context, proje
 	}
 
 	// 检查当前用户有项目管理员权限
-	if canOpProject, err := uc.opPermissionVerifyUsecase.CanOpProject(ctx, currentUserUid, projectUid); err != nil {
+	if canOpProject, err := uc.opPermissionVerifyUsecase.CanOpProject(ctx, currentUserUid, projectUid, false); err != nil {
 		return fmt.Errorf("check user is project admin or golobal op permission failed: %v", err)
 	} else if !canOpProject {
 		return fmt.Errorf("user is not project admin or golobal op permission user")

diff --git a/internal/dms/biz/maintenance_time.go b/internal/dms/biz/maintenance_time.go
@@ -87,7 +87,7 @@ func (m *MaintenanceTimeUsecase) CheckSQLExecutionAllowed(
 	}
 
 	// 4. 检查用户是否为管理员
-	isAdmin, err := m.opPermissionVerifyUsecase.CanOpGlobal(ctx, userUid)
+	isAdmin, err := m.opPermissionVerifyUsecase.CanOpGlobal(ctx, userUid, false)
 	if err != nil {
 		return false, "", fmt.Errorf("failed to check user admin permission: %v", err)
 	}

diff --git a/internal/dms/biz/op_permission.go b/internal/dms/biz/op_permission.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+
 	v1 "github.com/actiontech/dms/api/dms/service/v1"
 
 	pkgConst "github.com/actiontech/dms/internal/dms/pkg/constant"
@@ -92,13 +93,6 @@ func initOpPermission() []*OpPermission {
 			Desc:      "具备系统最高权限，可进行系统配置、用户管理等操作",
 			Service:   v1.ServiceSQLE,
 		},
-		{
-			UID:       pkgConst.UIDOfOpPermissionCreateProject,
-			Name:      "项目总监", // todo i18n 返回时会根据uid国际化，name、desc已弃用；数据库name字段是唯一键，故暂时保留
-			RangeType: OpRangeTypeGlobal,
-			Desc:      "创建项目、配置项目资源",
-			Service:   v1.ServiceSQLE,
-		},
 		{
 			UID:       pkgConst.UIDOfOrdinaryUser,
 			Name:      "普通用户", // todo i18n 返回时会根据uid国际化，name、desc已弃用；数据库name字段是唯一键，故暂时保留