diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/component/PermissionValidator.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/component/PermissionValidator.java
index 494dba648e7..56d681656c7 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/component/PermissionValidator.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/component/PermissionValidator.java
@@ -48,42 +48,75 @@ public PermissionValidator(
     this.systemRoleManagerService = systemRoleManagerService;
   }
 
-  public boolean hasModifyNamespacePermission(String appId, String namespaceName) {
+  private boolean hasModifyNamespacePermission(String appId, String namespaceName) {
     return rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(),
         PermissionType.MODIFY_NAMESPACE,
         RoleUtils.buildNamespaceTargetId(appId, namespaceName));
   }
 
-  public boolean hasModifyNamespacePermission(String appId, String namespaceName, String env) {
-    return hasModifyNamespacePermission(appId, namespaceName) ||
-        rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(),
-            PermissionType.MODIFY_NAMESPACE, RoleUtils.buildNamespaceTargetId(appId, namespaceName, env));
+  private boolean hasModifyNamespacePermission(String appId, String namespaceName, String env) {
+    return rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(),
+        PermissionType.MODIFY_NAMESPACE,
+        RoleUtils.buildNamespaceTargetId(appId, namespaceName, env));
   }
 
-  public boolean hasReleaseNamespacePermission(String appId, String namespaceName) {
+  private boolean hasModifyNamespacesInClusterPermission(String appId, String env, String clusterName) {
+    return rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(),
+        PermissionType.MODIFY_NAMESPACES_IN_CLUSTER,
+        RoleUtils.buildClusterTargetId(appId, env, clusterName));
+  }
+
+  public boolean hasModifyNamespacePermission(String appId, String env, String clusterName, String namespaceName) {
+    if (hasModifyNamespacePermission(appId, namespaceName)) {
+      return true;
+    }
+    if (hasModifyNamespacePermission(appId, namespaceName, env)) {
+      return true;
+    }
+    if (hasModifyNamespacesInClusterPermission(appId, env, clusterName)) {
+      return true;
+    }
+    return false;
+  }
+
+  private boolean hasReleaseNamespacePermission(String appId, String namespaceName) {
     return rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(),
         PermissionType.RELEASE_NAMESPACE,
         RoleUtils.buildNamespaceTargetId(appId, namespaceName));
   }
 
-  public boolean hasReleaseNamespacePermission(String appId, String namespaceName, String env) {
-    return hasReleaseNamespacePermission(appId, namespaceName) ||
-        rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(),
-        PermissionType.RELEASE_NAMESPACE, RoleUtils.buildNamespaceTargetId(appId, namespaceName, env));
+  private boolean hasReleaseNamespacePermission(String appId, String namespaceName, String env) {
+    return rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(),
+        PermissionType.RELEASE_NAMESPACE,
+        RoleUtils.buildNamespaceTargetId(appId, namespaceName, env));
+  }
+
+  private boolean hasReleaseNamespacesInClusterPermission(String appId, String env, String clusterName) {
+    return rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(),
+        PermissionType.RELEASE_NAMESPACES_IN_CLUSTER,
+        RoleUtils.buildClusterTargetId(appId, env, clusterName));
   }
 
-  public boolean hasDeleteNamespacePermission(String appId) {
-    return hasAssignRolePermission(appId) || isSuperAdmin();
+  public boolean hasReleaseNamespacePermission(String appId, String env, String clusterName, String namespaceName) {
+    if (hasReleaseNamespacePermission(appId, namespaceName)) {
+      return true;
+    }
+    if (hasReleaseNamespacePermission(appId, namespaceName, env)) {
+      return true;
+    }
+    if (hasReleaseNamespacesInClusterPermission(appId, env, clusterName)) {
+      return true;
+    }
+    return false;
   }
 
-  public boolean hasOperateNamespacePermission(String appId, String namespaceName) {
-    return hasModifyNamespacePermission(appId, namespaceName) || hasReleaseNamespacePermission(appId, namespaceName);
+  public boolean hasDeleteNamespacePermission(String appId) {
+    return hasAssignRolePermission(appId) || isSuperAdmin();
   }
 
-  public boolean hasOperateNamespacePermission(String appId, String namespaceName, String env) {
-    return hasOperateNamespacePermission(appId, namespaceName) ||
-        hasModifyNamespacePermission(appId, namespaceName, env) ||
-        hasReleaseNamespacePermission(appId, namespaceName, env);
+  public boolean hasOperateNamespacePermission(String appId, String env, String clusterName, String namespaceName) {
+    return hasModifyNamespacePermission(appId, env, clusterName, namespaceName)
+        || hasReleaseNamespacePermission(appId, env, clusterName, namespaceName);
   }
 
   public boolean hasAssignRolePermission(String appId) {
@@ -124,7 +157,8 @@ public boolean isSuperAdmin() {
     return rolePermissionService.isSuperAdmin(userInfoHolder.getUser().getUserId());
   }
 
-  public boolean shouldHideConfigToCurrentUser(String appId, String env, String namespaceName) {
+  public boolean shouldHideConfigToCurrentUser(String appId, String env, String clusterName,
+      String namespaceName) {
     // 1. check whether the current environment enables member only function
     if (!portalConfig.isConfigViewMemberOnly(env)) {
       return false;
@@ -137,7 +171,7 @@ public boolean shouldHideConfigToCurrentUser(String appId, String env, String na
     }
 
     // 3. check app admin and operate permissions
-    return !isAppAdmin(appId) && !hasOperateNamespacePermission(appId, namespaceName, env);
+    return !isAppAdmin(appId) && !hasOperateNamespacePermission(appId, env, clusterName, namespaceName);
   }
 
   public boolean hasCreateApplicationPermission() {
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/constant/PermissionType.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/constant/PermissionType.java
index 85aa1d75806..85ec0ded21b 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/constant/PermissionType.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/constant/PermissionType.java
@@ -45,5 +45,8 @@ public interface PermissionType {
 
   String RELEASE_NAMESPACE = "ReleaseNamespace";
 
+  String MODIFY_NAMESPACES_IN_CLUSTER = "ModifyNamespacesInCluster";
+
+  String RELEASE_NAMESPACES_IN_CLUSTER = "ReleaseNamespacesInCluster";
 
 }
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/constant/RoleType.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/constant/RoleType.java
index 802eafe5185..d0bd413d0ff 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/constant/RoleType.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/constant/RoleType.java
@@ -24,8 +24,13 @@ public class RoleType {
 
   public static final String RELEASE_NAMESPACE = "ReleaseNamespace";
 
+  public static final String MODIFY_NAMESPACES_IN_CLUSTER = "ModifyNamespacesInCluster";
+
+  public static final String RELEASE_NAMESPACES_IN_CLUSTER = "ReleaseNamespacesInCluster";
+
   public static boolean isValidRoleType(String roleType) {
-    return MASTER.equals(roleType) || MODIFY_NAMESPACE.equals(roleType) || RELEASE_NAMESPACE.equals(roleType);
+    return MASTER.equals(roleType) || MODIFY_NAMESPACE.equals(roleType) || RELEASE_NAMESPACE.equals(
+        roleType) || MODIFY_NAMESPACES_IN_CLUSTER.equals(roleType) || RELEASE_NAMESPACES_IN_CLUSTER.equals(roleType);
   }
 
 }
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/CommitController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/CommitController.java
index f1e030536e3..c9cb5ba3efd 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/CommitController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/CommitController.java
@@ -51,7 +51,7 @@ public List<CommitDTO> find(@PathVariable String appId, @PathVariable String env
                               @RequestParam(required = false) String key,
                               @Valid @PositiveOrZero(message = "page should be positive or 0") @RequestParam(defaultValue = "0") int page,
                               @Valid @Positive(message = "size should be positive number") @RequestParam(defaultValue = "10") int size) {
-    if (permissionValidator.shouldHideConfigToCurrentUser(appId, env, namespaceName)) {
+    if (permissionValidator.shouldHideConfigToCurrentUser(appId, env, clusterName, namespaceName)) {
       return Collections.emptyList();
     }
 
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ConfigsExportController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ConfigsExportController.java
index fc6ae086f4d..565959fc0e6 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ConfigsExportController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ConfigsExportController.java
@@ -78,7 +78,7 @@ public ConfigsExportController(
    *   application.json
    * </pre>
    */
-  @PreAuthorize(value = "!@permissionValidator.shouldHideConfigToCurrentUser(#appId, #env, #namespaceName)")
+  @PreAuthorize(value = "!@permissionValidator.shouldHideConfigToCurrentUser(#appId, #env, #clusterName, #namespaceName)")
   @GetMapping("/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/items/export")
   public void exportItems(@PathVariable String appId, @PathVariable String env,
                                   @PathVariable String clusterName, @PathVariable String namespaceName,
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ConfigsImportController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ConfigsImportController.java
index 88ecfba5a69..60e8b74f5ea 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ConfigsImportController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ConfigsImportController.java
@@ -61,7 +61,7 @@ public ConfigsImportController(
    *             etc.
    * @throws IOException
    */
-  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, #env)")
+  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
   @PostMapping("/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/items/import")
   public void importConfigFile(@PathVariable String appId, @PathVariable String env,
                                @PathVariable String clusterName, @PathVariable String namespaceName,
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ItemController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ItemController.java
index e0c985b1035..d4becc38e7b 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ItemController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ItemController.java
@@ -73,7 +73,7 @@ public ItemController(final ItemService configService, final UserInfoHolder user
     this.namespaceService = namespaceService;
   }
 
-  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, #env)")
+  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
   @PutMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/items", consumes = {
       "application/json"})
   public void modifyItemsByText(@PathVariable String appId, @PathVariable String env,
@@ -87,7 +87,7 @@ public void modifyItemsByText(@PathVariable String appId, @PathVariable String e
     configService.updateConfigItemByText(model);
   }
 
-  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, #env)")
+  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
   @PostMapping("/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/item")
   public ItemDTO createItem(@PathVariable String appId, @PathVariable String env,
                             @PathVariable String clusterName, @PathVariable String namespaceName,
@@ -106,7 +106,7 @@ public ItemDTO createItem(@PathVariable String appId, @PathVariable String env,
     return configService.createItem(appId, Env.valueOf(env), clusterName, namespaceName, item);
   }
 
-  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, #env)")
+  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
   @PutMapping("/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/item")
   public void updateItem(@PathVariable String appId, @PathVariable String env,
                          @PathVariable String clusterName, @PathVariable String namespaceName,
@@ -120,7 +120,7 @@ public void updateItem(@PathVariable String appId, @PathVariable String env,
   }
 
 
-  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, #env) ")
+  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
   @DeleteMapping("/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/items/{itemId}")
   public void deleteItem(@PathVariable String appId, @PathVariable String env,
                          @PathVariable String clusterName, @PathVariable String namespaceName,
@@ -142,7 +142,7 @@ public List<ItemDTO> findItems(@PathVariable String appId, @PathVariable String
                                  @PathVariable String clusterName, @PathVariable String namespaceName,
                                  @RequestParam(defaultValue = "lineNum") String orderBy) {
 
-    if (permissionValidator.shouldHideConfigToCurrentUser(appId, env, namespaceName)) {
+    if (permissionValidator.shouldHideConfigToCurrentUser(appId, env, clusterName, namespaceName)) {
       return Collections.emptyList();
     }
 
@@ -183,9 +183,10 @@ public List<ItemDiffs> diff(@RequestBody NamespaceSyncModel model) {
       }
 
       if (permissionValidator
-          .shouldHideConfigToCurrentUser(namespace.getAppId(), namespace.getEnv().getName(), namespace.getNamespaceName())) {
+          .shouldHideConfigToCurrentUser(namespace.getAppId(), namespace.getEnv().getName(),
+              namespace.getClusterName(), namespace.getNamespaceName())) {
         diff.setDiffs(new ItemChangeSets());
-        diff.setExtInfo("You are not this project's administrator, nor you have edit or release permission for the namespace in environment: " + namespace.getEnv());
+        diff.setExtInfo("You are not this project's administrator, nor you have edit or release permission for the namespace: " + namespace);
       }
     }
 
@@ -196,29 +197,30 @@ public List<ItemDiffs> diff(@RequestBody NamespaceSyncModel model) {
   public ResponseEntity<Void> update(@PathVariable String appId, @PathVariable String namespaceName,
                                      @RequestBody NamespaceSyncModel model) {
     checkModel(!model.isInvalid() && model.syncToNamespacesValid(appId, namespaceName));
-    boolean hasPermission = permissionValidator.hasModifyNamespacePermission(appId, namespaceName);
-    Env envNoPermission = null;
-    // if uses has ModifyNamespace permission then he has permission
-    if (!hasPermission) {
-      // else check if user has every env's ModifyNamespace permission
-      hasPermission = true;
-      for (NamespaceIdentifier namespaceIdentifier : model.getSyncToNamespaces()) {
-        // once user has not one of the env's ModifyNamespace permission, then break the loop
-        hasPermission &= permissionValidator.hasModifyNamespacePermission(namespaceIdentifier.getAppId(), namespaceIdentifier.getNamespaceName(), namespaceIdentifier.getEnv().toString());
-        if (!hasPermission) {
-          envNoPermission = namespaceIdentifier.getEnv();
-          break;
-        }
+    NamespaceIdentifier noPermissionNamespace = null;
+    // check if user has every namespace's ModifyNamespace permission
+    boolean hasPermission = true;
+    for (NamespaceIdentifier namespaceIdentifier : model.getSyncToNamespaces()) {
+      // once user has not one of the namespace's ModifyNamespace permission, then break the loop
+      hasPermission = permissionValidator.hasModifyNamespacePermission(
+          namespaceIdentifier.getAppId(),
+          namespaceIdentifier.getEnv().getName(),
+          namespaceIdentifier.getClusterName(),
+          namespaceIdentifier.getNamespaceName()
+      );
+      if (!hasPermission) {
+        noPermissionNamespace = namespaceIdentifier;
+        break;
       }
     }
     if (hasPermission) {
       configService.syncItems(model.getSyncToNamespaces(), model.getSyncItems());
       return ResponseEntity.status(HttpStatus.OK).build();
     }
-    throw new AccessDeniedException(String.format("You don't have the permission to modify environment: %s", envNoPermission));
+    throw new AccessDeniedException(String.format("You don't have the permission to modify namespace: %s", noPermissionNamespace));
   }
 
-  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, #env)")
+  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
   @PostMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/syntax-check", consumes = {
       "application/json"})
   public ResponseEntity<Void> syntaxCheckText(@PathVariable String appId, @PathVariable String env,
@@ -229,7 +231,7 @@ public ResponseEntity<Void> syntaxCheckText(@PathVariable String appId, @PathVar
     return ResponseEntity.ok().build();
   }
 
-  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, #env)")
+  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
   @PutMapping("/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/revoke-items")
   public void revokeItems(@PathVariable String appId, @PathVariable String env, @PathVariable String clusterName,
       @PathVariable String namespaceName) {
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/NamespaceBranchController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/NamespaceBranchController.java
index 8daa6b68a87..95cb5d9fb17 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/NamespaceBranchController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/NamespaceBranchController.java
@@ -71,14 +71,14 @@ public NamespaceBO findBranch(@PathVariable String appId,
                                 @PathVariable String namespaceName) {
     NamespaceBO namespaceBO = namespaceBranchService.findBranch(appId, Env.valueOf(env), clusterName, namespaceName);
 
-    if (namespaceBO != null && permissionValidator.shouldHideConfigToCurrentUser(appId, env, namespaceName)) {
+    if (namespaceBO != null && permissionValidator.shouldHideConfigToCurrentUser(appId, env, clusterName, namespaceName)) {
       namespaceBO.hideItems();
     }
 
     return namespaceBO;
   }
 
-  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, #env)")
+  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
   @PostMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/branches")
   @ApolloAuditLog(type = OpType.CREATE, name = "NamespaceBranch.create")
   public NamespaceDTO createBranch(@PathVariable String appId,
@@ -97,9 +97,10 @@ public void deleteBranch(@PathVariable String appId,
                            @PathVariable String namespaceName,
                            @PathVariable String branchName) {
 
-    boolean canDelete = permissionValidator.hasReleaseNamespacePermission(appId, namespaceName, env) ||
-            (permissionValidator.hasModifyNamespacePermission(appId, namespaceName, env) &&
-                      releaseService.loadLatestRelease(appId, Env.valueOf(env), branchName, namespaceName) == null);
+    boolean hasModifyPermission = permissionValidator.hasModifyNamespacePermission(appId, env, clusterName, namespaceName);
+    boolean hasReleasePermission = permissionValidator.hasReleaseNamespacePermission(appId, env, clusterName, namespaceName);
+    boolean canDelete = hasReleasePermission
+        || (hasModifyPermission && releaseService.loadLatestRelease(appId, Env.valueOf(env), branchName, namespaceName) == null);
 
 
     if (!canDelete) {
@@ -115,7 +116,7 @@ public void deleteBranch(@PathVariable String appId,
 
 
 
-  @PreAuthorize(value = "@permissionValidator.hasReleaseNamespacePermission(#appId, #namespaceName, #env)")
+  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
   @PostMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/branches/{branchName}/merge")
   @ApolloAuditLog(type = OpType.UPDATE, name = "NamespaceBranch.merge")
   public ReleaseDTO merge(@PathVariable String appId, @PathVariable String env,
@@ -155,7 +156,7 @@ public GrayReleaseRuleDTO getBranchGrayRules(@PathVariable String appId, @PathVa
   }
 
 
-  @PreAuthorize(value = "@permissionValidator.hasOperateNamespacePermission(#appId, #namespaceName, #env)")
+  @PreAuthorize(value = "@permissionValidator.hasOperateNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
   @PutMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/branches/{branchName}/rules")
   @ApolloAuditLog(type = OpType.UPDATE, name = "NamespaceBranch.updateBranchRules")
   public void updateBranchRules(@PathVariable String appId, @PathVariable String env,
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/NamespaceController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/NamespaceController.java
index ee2515d99ff..ed362bf8542 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/NamespaceController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/NamespaceController.java
@@ -111,7 +111,7 @@ public List<NamespaceBO> findNamespaces(@PathVariable String appId, @PathVariabl
     List<NamespaceBO> namespaceBOs = namespaceService.findNamespaceBOs(appId, Env.valueOf(env), clusterName);
 
     for (NamespaceBO namespaceBO : namespaceBOs) {
-      if (permissionValidator.shouldHideConfigToCurrentUser(appId, env, namespaceBO.getBaseInfo().getNamespaceName())) {
+      if (permissionValidator.shouldHideConfigToCurrentUser(appId, env, clusterName, namespaceBO.getBaseInfo().getNamespaceName())) {
         namespaceBO.hideItems();
       }
     }
@@ -125,7 +125,7 @@ public NamespaceBO findNamespace(@PathVariable String appId, @PathVariable Strin
 
     NamespaceBO namespaceBO = namespaceService.loadNamespaceBO(appId, Env.valueOf(env), clusterName, namespaceName);
 
-    if (namespaceBO != null && permissionValidator.shouldHideConfigToCurrentUser(appId, env, namespaceName)) {
+    if (namespaceBO != null && permissionValidator.shouldHideConfigToCurrentUser(appId, env, clusterName, namespaceName)) {
       namespaceBO.hideItems();
     }
 
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/PermissionController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/PermissionController.java
index 8cc166ce26d..9d56e5d6fc2 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/PermissionController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/PermissionController.java
@@ -25,6 +25,7 @@
 import com.ctrip.framework.apollo.portal.constant.RoleType;
 import com.ctrip.framework.apollo.portal.entity.bo.UserInfo;
 import com.ctrip.framework.apollo.portal.entity.vo.AppRolesAssignedUsers;
+import com.ctrip.framework.apollo.portal.entity.vo.ClusterNamespaceRolesAssignedUsers;
 import com.ctrip.framework.apollo.portal.entity.vo.NamespaceEnvRolesAssignedUsers;
 import com.ctrip.framework.apollo.portal.entity.vo.NamespaceRolesAssignedUsers;
 import com.ctrip.framework.apollo.portal.entity.vo.PermissionCondition;
@@ -37,7 +38,6 @@
 import com.ctrip.framework.apollo.portal.util.RoleUtils;
 import com.google.common.collect.Sets;
 import com.google.gson.JsonObject;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.util.CollectionUtils;
@@ -80,6 +80,12 @@ public ResponseEntity<Void> initAppPermission(@PathVariable String appId, @Reque
     return ResponseEntity.ok().build();
   }
 
+  @PostMapping("/apps/{appId}/envs/{env}/clusters/{clusterName}/initNsPermission")
+  public ResponseEntity<Void> initClusterNamespacePermission(@PathVariable String appId, @PathVariable String env, @PathVariable String clusterName) {
+    roleInitializationService.initClusterNamespaceRoles(appId, env, clusterName, userInfoHolder.getUser().getUserId());
+    return ResponseEntity.ok().build();
+  }
+
   @GetMapping("/apps/{appId}/permissions/{permissionType}")
   public ResponseEntity<PermissionCondition> hasPermission(@PathVariable String appId, @PathVariable String permissionType) {
     PermissionCondition permissionCondition = new PermissionCondition();
@@ -114,6 +120,18 @@ public ResponseEntity<PermissionCondition> hasPermission(@PathVariable String ap
     return ResponseEntity.ok().body(permissionCondition);
   }
 
+  @GetMapping("/apps/{appId}/envs/{env}/clusters/{clusterName}/ns_permissions/{permissionType}")
+  public ResponseEntity<PermissionCondition> hasClusterNamespacePermission(@PathVariable String appId, @PathVariable String env, @PathVariable String clusterName,
+                                                           @PathVariable String permissionType) {
+    PermissionCondition permissionCondition = new PermissionCondition();
+
+    permissionCondition.setHasPermission(
+        rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(), permissionType,
+            RoleUtils.buildClusterTargetId(appId, env, clusterName)));
+
+    return ResponseEntity.ok().body(permissionCondition);
+  }
+
   @GetMapping("/permissions/root")
   public ResponseEntity<PermissionCondition> hasRootPermission() {
     PermissionCondition permissionCondition = new PermissionCondition();
@@ -192,6 +210,72 @@ public ResponseEntity<Void> removeNamespaceEnvRoleFromUser(@PathVariable String
     return ResponseEntity.ok().build();
   }
 
+  @GetMapping("/apps/{appId}/envs/{env}/clusters/{clusterName}/ns_role_users")
+  public ClusterNamespaceRolesAssignedUsers getClusterNamespaceRoles(@PathVariable String appId, @PathVariable String env, @PathVariable String clusterName) {
+
+    // validate env parameter
+    if (Env.UNKNOWN == Env.transformEnv(env)) {
+      throw BadRequestException.invalidEnvFormat(env);
+    }
+
+    ClusterNamespaceRolesAssignedUsers assignedUsers = new ClusterNamespaceRolesAssignedUsers();
+    assignedUsers.setAppId(appId);
+    assignedUsers.setEnv(env);
+    assignedUsers.setCluster(clusterName);
+
+    Set<UserInfo> releaseNamespacesInClusterUsers =
+        rolePermissionService.queryUsersWithRole(RoleUtils.buildReleaseNamespacesInClusterRoleName(appId, env, clusterName));
+    assignedUsers.setReleaseRoleUsers(releaseNamespacesInClusterUsers);
+
+    Set<UserInfo> modifyNamespacesInClusterUsers =
+        rolePermissionService.queryUsersWithRole(RoleUtils.buildModifyNamespacesInClusterRoleName(appId, env, clusterName));
+    assignedUsers.setModifyRoleUsers(modifyNamespacesInClusterUsers);
+
+    return assignedUsers;
+  }
+
+  @PreAuthorize(value = "@permissionValidator.hasAssignRolePermission(#appId)")
+  @PostMapping("/apps/{appId}/envs/{env}/clusters/{clusterName}/ns_roles/{roleType}")
+  public ResponseEntity<Void> assignClusterNamespaceRoleToUser(@PathVariable String appId, @PathVariable String env, @PathVariable String clusterName,
+      @PathVariable String roleType, @RequestBody String user) {
+    checkUserExists(user);
+    RequestPrecondition.checkArgumentsNotEmpty(user);
+
+    if (!RoleType.isValidRoleType(roleType)) {
+      throw BadRequestException.invalidRoleTypeFormat(roleType);
+    }
+
+    // validate env parameter
+    if (Env.UNKNOWN == Env.transformEnv(env)) {
+      throw BadRequestException.invalidEnvFormat(env);
+    }
+    Set<String> assignedUser = rolePermissionService.assignRoleToUsers(RoleUtils.buildClusterRoleName(appId, env, clusterName, roleType),
+        Sets.newHashSet(user), userInfoHolder.getUser().getUserId());
+    if (CollectionUtils.isEmpty(assignedUser)) {
+      throw BadRequestException.userAlreadyAuthorized(user);
+    }
+
+    return ResponseEntity.ok().build();
+  }
+
+  @PreAuthorize(value = "@permissionValidator.hasAssignRolePermission(#appId)")
+  @DeleteMapping("/apps/{appId}/envs/{env}/clusters/{clusterName}/ns_roles/{roleType}")
+  public ResponseEntity<Void> removeClusterNamespaceRoleFromUser(@PathVariable String appId, @PathVariable String env, @PathVariable String clusterName,
+      @PathVariable String roleType, @RequestParam String user) {
+    RequestPrecondition.checkArgumentsNotEmpty(user);
+
+    if (!RoleType.isValidRoleType(roleType)) {
+      throw BadRequestException.invalidRoleTypeFormat(roleType);
+    }
+    // validate env parameter
+    if (Env.UNKNOWN == Env.transformEnv(env)) {
+      throw BadRequestException.invalidEnvFormat(env);
+    }
+    rolePermissionService.removeRoleFromUsers(RoleUtils.buildClusterRoleName(appId, env, clusterName, roleType),
+        Sets.newHashSet(user), userInfoHolder.getUser().getUserId());
+    return ResponseEntity.ok().build();
+  }
+
   @GetMapping("/apps/{appId}/namespaces/{namespaceName}/role_users")
   public NamespaceRolesAssignedUsers getNamespaceRoles(@PathVariable String appId, @PathVariable String namespaceName) {
 
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ReleaseController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ReleaseController.java
index 06e303f18fe..8a1e9127a6f 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ReleaseController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ReleaseController.java
@@ -69,7 +69,7 @@ public ReleaseController(
     this.userInfoHolder = userInfoHolder;
   }
 
-  @PreAuthorize(value = "@permissionValidator.hasReleaseNamespacePermission(#appId, #namespaceName, #env)")
+  @PreAuthorize(value = "@permissionValidator.hasReleaseNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
   @PostMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/releases")
   public ReleaseDTO createRelease(@PathVariable String appId,
                                   @PathVariable String env, @PathVariable String clusterName,
@@ -98,7 +98,7 @@ public ReleaseDTO createRelease(@PathVariable String appId,
     return createdRelease;
   }
 
-  @PreAuthorize(value = "@permissionValidator.hasReleaseNamespacePermission(#appId, #namespaceName, #env)")
+  @PreAuthorize(value = "@permissionValidator.hasReleaseNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
   @PostMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/branches/{branchName}/releases")
   public ReleaseDTO createGrayRelease(@PathVariable String appId,
                                       @PathVariable String env, @PathVariable String clusterName,
@@ -146,7 +146,7 @@ public List<ReleaseBO> findAllReleases(@PathVariable String appId,
                                          @PathVariable String namespaceName,
                                          @Valid @PositiveOrZero(message = "page should be positive or 0") @RequestParam(defaultValue = "0") int page,
                                          @Valid @Positive(message = "size should be positive number") @RequestParam(defaultValue = "5") int size) {
-    if (permissionValidator.shouldHideConfigToCurrentUser(appId, env, namespaceName)) {
+    if (permissionValidator.shouldHideConfigToCurrentUser(appId, env, clusterName, namespaceName)) {
       return Collections.emptyList();
     }
 
@@ -161,7 +161,7 @@ public List<ReleaseDTO> findActiveReleases(@PathVariable String appId,
                                              @Valid @PositiveOrZero(message = "page should be positive or 0") @RequestParam(defaultValue = "0") int page,
                                              @Valid @Positive(message = "size should be positive number") @RequestParam(defaultValue = "5") int size) {
 
-    if (permissionValidator.shouldHideConfigToCurrentUser(appId, env, namespaceName)) {
+    if (permissionValidator.shouldHideConfigToCurrentUser(appId, env, clusterName, namespaceName)) {
       return Collections.emptyList();
     }
 
@@ -187,7 +187,7 @@ public void rollback(@PathVariable String env,
       throw NotFoundException.releaseNotFound(releaseId);
     }
 
-    if (!permissionValidator.hasReleaseNamespacePermission(release.getAppId(), release.getNamespaceName(), env)) {
+    if (!permissionValidator.hasReleaseNamespacePermission(release.getAppId(), env, release.getClusterName(), release.getNamespaceName())) {
       throw new AccessDeniedException("Access is denied");
     }
 
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ReleaseHistoryController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ReleaseHistoryController.java
index da391666836..39f1f7f4db8 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ReleaseHistoryController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ReleaseHistoryController.java
@@ -48,7 +48,7 @@ public List<ReleaseHistoryBO> findReleaseHistoriesByNamespace(@PathVariable Stri
                                                                 @RequestParam(value = "page", defaultValue = "0") int page,
                                                                 @RequestParam(value = "size", defaultValue = "10") int size) {
 
-    if (permissionValidator.shouldHideConfigToCurrentUser(appId, env, namespaceName)) {
+    if (permissionValidator.shouldHideConfigToCurrentUser(appId, env, clusterName, namespaceName)) {
       return Collections.emptyList();
     }
 
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/entity/vo/ClusterNamespaceRolesAssignedUsers.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/entity/vo/ClusterNamespaceRolesAssignedUsers.java
new file mode 100644
index 00000000000..8a3e5053ded
--- /dev/null
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/entity/vo/ClusterNamespaceRolesAssignedUsers.java
@@ -0,0 +1,80 @@
+/*
+ * Copyright 2024 Apollo Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package com.ctrip.framework.apollo.portal.entity.vo;
+
+import com.ctrip.framework.apollo.portal.entity.bo.UserInfo;
+import java.util.Set;
+
+public class ClusterNamespaceRolesAssignedUsers {
+
+  private String appId;
+  private String env;
+  private String cluster;
+  private Set<UserInfo> modifyRoleUsers;
+  private Set<UserInfo> releaseRoleUsers;
+
+  public String getEnv() {
+    return env;
+  }
+
+  public void setEnv(String env) {
+    this.env = env;
+  }
+
+  public String getAppId() {
+    return appId;
+  }
+
+  public void setAppId(String appId) {
+    this.appId = appId;
+  }
+
+  public String getCluster() {
+    return cluster;
+  }
+
+  public void setCluster(String cluster) {
+    this.cluster = cluster;
+  }
+
+  public Set<UserInfo> getModifyRoleUsers() {
+    return modifyRoleUsers;
+  }
+
+  public void setModifyRoleUsers(Set<UserInfo> modifyRoleUsers) {
+    this.modifyRoleUsers = modifyRoleUsers;
+  }
+
+  public Set<UserInfo> getReleaseRoleUsers() {
+    return releaseRoleUsers;
+  }
+
+  public void setReleaseRoleUsers(Set<UserInfo> releaseRoleUsers) {
+    this.releaseRoleUsers = releaseRoleUsers;
+  }
+
+  @Override
+  public String toString() {
+    return "ClusterNamespaceRolesAssignedUsers{" +
+        "appId='" + appId + '\'' +
+        ", env='" + env + '\'' +
+        ", cluster='" + cluster + '\'' +
+        ", modifyRoleUsers=" + modifyRoleUsers +
+        ", releaseRoleUsers=" + releaseRoleUsers +
+        '}';
+  }
+}
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/service/AppService.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/service/AppService.java
index df68039f292..6a596f41fb7 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/service/AppService.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/service/AppService.java
@@ -17,7 +17,6 @@
 package com.ctrip.framework.apollo.portal.service;
 
 import com.ctrip.framework.apollo.audit.annotation.ApolloAuditLog;
-import com.ctrip.framework.apollo.audit.annotation.ApolloAuditLogDataInfluence;
 import com.ctrip.framework.apollo.audit.annotation.OpType;
 import com.ctrip.framework.apollo.audit.api.ApolloAuditLogApi;
 import com.ctrip.framework.apollo.common.dto.AppDTO;
@@ -25,8 +24,10 @@
 import com.ctrip.framework.apollo.common.entity.App;
 import com.ctrip.framework.apollo.common.exception.BadRequestException;
 import com.ctrip.framework.apollo.common.utils.BeanUtils;
+import com.ctrip.framework.apollo.core.ConfigConsts;
 import com.ctrip.framework.apollo.core.utils.StringUtils;
 import com.ctrip.framework.apollo.portal.api.AdminServiceAPI.AppAPI;
+import com.ctrip.framework.apollo.portal.component.PortalSettings;
 import com.ctrip.framework.apollo.portal.environment.Env;
 import com.ctrip.framework.apollo.portal.api.AdminServiceAPI;
 import com.ctrip.framework.apollo.portal.constant.TracerEventType;
@@ -63,6 +64,7 @@ public class AppService {
   private final FavoriteService favoriteService;
   private final UserService userService;
   private final ApolloAuditLogApi apolloAuditLogApi;
+  private final PortalSettings portalSettings;
 
   private final ApplicationEventPublisher publisher;
 
@@ -76,7 +78,7 @@ public AppService(
       final RolePermissionService rolePermissionService,
       final FavoriteService favoriteService,
       final UserService userService, ApplicationEventPublisher publisher,
-      final ApolloAuditLogApi apolloAuditLogApi) {
+      final ApolloAuditLogApi apolloAuditLogApi, PortalSettings portalSettings) {
     this.userInfoHolder = userInfoHolder;
     this.appAPI = appAPI;
     this.appRepository = appRepository;
@@ -88,6 +90,7 @@ public AppService(
     this.userService = userService;
     this.apolloAuditLogApi = apolloAuditLogApi;
     this.publisher = publisher;
+    this.portalSettings = portalSettings;
   }
 
 
@@ -138,6 +141,9 @@ public void createAppInRemote(Env env, App app) {
 
     AppDTO appDTO = BeanUtils.transform(AppDTO.class, app);
     appAPI.createApp(env, appDTO);
+
+    roleInitializationService.initClusterNamespaceRoles(app.getAppId(), ConfigConsts.CLUSTER_NAME_DEFAULT,
+        env.getName(), userInfoHolder.getUser().getUserId());
   }
 
   private App createAppInLocal(App app) {
@@ -162,6 +168,11 @@ private App createAppInLocal(App app) {
 
     appNamespaceService.createDefaultAppNamespace(appId);
     roleInitializationService.initAppRoles(createdApp);
+    List<Env> envs = portalSettings.getActiveEnvs();
+    for (Env env : envs) {
+      roleInitializationService.initClusterNamespaceRoles(appId, ConfigConsts.CLUSTER_NAME_DEFAULT,
+          env.getName(), userInfoHolder.getUser().getUserId());
+    }
 
     Tracer.logEvent(TracerEventType.CREATE_APP, appId);
 
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/service/ClusterService.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/service/ClusterService.java
index b0ee27f2e86..a01c26201b3 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/service/ClusterService.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/service/ClusterService.java
@@ -32,10 +32,13 @@ public class ClusterService {
 
   private final UserInfoHolder userInfoHolder;
   private final AdminServiceAPI.ClusterAPI clusterAPI;
+  private final RoleInitializationService roleInitializationService;
 
-  public ClusterService(final UserInfoHolder userInfoHolder, final AdminServiceAPI.ClusterAPI clusterAPI) {
+  public ClusterService(final UserInfoHolder userInfoHolder, final AdminServiceAPI.ClusterAPI clusterAPI,
+      RoleInitializationService roleInitializationService) {
     this.userInfoHolder = userInfoHolder;
     this.clusterAPI = clusterAPI;
+    this.roleInitializationService = roleInitializationService;
   }
 
   public List<ClusterDTO> findClusters(Env env, String appId) {
@@ -48,6 +51,9 @@ public ClusterDTO createCluster(Env env, ClusterDTO cluster) {
     }
     ClusterDTO clusterDTO = clusterAPI.create(env, cluster);
 
+    roleInitializationService.initClusterNamespaceRoles(cluster.getAppId(), env.getName(), cluster.getName(),
+        userInfoHolder.getUser().getUserId());
+
     Tracer.logEvent(TracerEventType.CREATE_CLUSTER, cluster.getAppId(), "0", cluster.getName());
 
     return clusterDTO;
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/service/RoleInitializationService.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/service/RoleInitializationService.java
index 1ccb5f9081d..f99e9638399 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/service/RoleInitializationService.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/service/RoleInitializationService.java
@@ -33,4 +33,6 @@ void initNamespaceSpecificEnvRoles(String appId, String namespaceName, String en
 
   void initManageAppMasterRole(String appId, String operator);
 
+  void initClusterNamespaceRoles(String appId, String env, String clusterName, String operator);
+
 }
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/spi/defaultimpl/DefaultRoleInitializationService.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/spi/defaultimpl/DefaultRoleInitializationService.java
index b54d20b50ab..391fb78b89b 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/spi/defaultimpl/DefaultRoleInitializationService.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/spi/defaultimpl/DefaultRoleInitializationService.java
@@ -174,6 +174,20 @@ public void initManageAppMasterRole(String appId, String operator) {
     }
   }
 
+  @Transactional
+  @Override
+  public void initClusterNamespaceRoles(String appId, String env, String clusterName, String operator) {
+    String modifyNamespacesInClusterRoleName = RoleUtils.buildModifyNamespacesInClusterRoleName(appId, env, clusterName);
+    if (rolePermissionService.findRoleByRoleName(modifyNamespacesInClusterRoleName) == null) {
+      createClusterRole(appId, env, clusterName, PermissionType.MODIFY_NAMESPACES_IN_CLUSTER, modifyNamespacesInClusterRoleName, operator);
+    }
+
+    String releaseNamespacesInClusterRoleName = RoleUtils.buildReleaseNamespacesInClusterRoleName(appId, env, clusterName);
+    if (rolePermissionService.findRoleByRoleName(releaseNamespacesInClusterRoleName) == null) {
+      createClusterRole(appId, env, clusterName, PermissionType.RELEASE_NAMESPACES_IN_CLUSTER, releaseNamespacesInClusterRoleName, operator);
+    }
+  }
+
   private void createAppMasterRole(String appId, String operator) {
     Set<Permission> appPermissions =
         Stream.of(PermissionType.CREATE_CLUSTER, PermissionType.CREATE_NAMESPACE, PermissionType.ASSIGN_ROLE)
@@ -228,4 +242,15 @@ private void createNamespaceEnvRole(String appId, String namespaceName, String p
     rolePermissionService
         .createRoleWithPermissions(role, Sets.newHashSet(createdPermission.getId()));
   }
+
+  private void createClusterRole(String appId, String env, String clusterName, String permissionType,
+                                 String roleName, String operator) {
+    Permission permission =
+        createPermission(RoleUtils.buildClusterTargetId(appId, env, clusterName), permissionType, operator);
+    Permission createdPermission = rolePermissionService.createPermission(permission);
+
+    Role role = createRole(roleName, operator);
+    rolePermissionService
+        .createRoleWithPermissions(role, Sets.newHashSet(createdPermission.getId()));
+  }
 }
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/util/RoleUtils.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/util/RoleUtils.java
index a02473fbe99..1101fa4ebff 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/util/RoleUtils.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/util/RoleUtils.java
@@ -66,6 +66,10 @@ public static String buildModifyNamespaceRoleName(String appId, String namespace
     return STRING_JOINER.join(RoleType.MODIFY_NAMESPACE, appId, namespaceName, env);
   }
 
+  public static String buildModifyNamespacesInClusterRoleName(String appId, String env, String clusterName) {
+    return STRING_JOINER.join(RoleType.MODIFY_NAMESPACES_IN_CLUSTER, appId, env, clusterName);
+  }
+
   public static String buildModifyDefaultNamespaceRoleName(String appId) {
     return STRING_JOINER.join(RoleType.MODIFY_NAMESPACE, appId, ConfigConsts.NAMESPACE_APPLICATION);
   }
@@ -78,6 +82,10 @@ public static String buildReleaseNamespaceRoleName(String appId, String namespac
     return STRING_JOINER.join(RoleType.RELEASE_NAMESPACE, appId, namespaceName, env);
   }
 
+  public static String buildReleaseNamespacesInClusterRoleName(String appId, String env, String clusterName) {
+    return STRING_JOINER.join(RoleType.RELEASE_NAMESPACES_IN_CLUSTER, appId, env, clusterName);
+  }
+
   public static String buildNamespaceRoleName(String appId, String namespaceName, String roleType) {
     return buildNamespaceRoleName(appId, namespaceName, roleType, null);
   }
@@ -86,6 +94,10 @@ public static String buildNamespaceRoleName(String appId, String namespaceName,
     return STRING_JOINER.join(roleType, appId, namespaceName, env);
   }
 
+  public static String buildClusterRoleName(String appId, String env, String clusterName, String roleType) {
+    return STRING_JOINER.join(roleType, appId, env, clusterName);
+  }
+
   public static String buildReleaseDefaultNamespaceRoleName(String appId) {
     return STRING_JOINER.join(RoleType.RELEASE_NAMESPACE, appId, ConfigConsts.NAMESPACE_APPLICATION);
   }
@@ -98,6 +110,10 @@ public static String buildNamespaceTargetId(String appId, String namespaceName,
     return STRING_JOINER.join(appId, namespaceName, env);
   }
 
+  public static String buildClusterTargetId(String appId, String env, String clusterName) {
+    return STRING_JOINER.join(appId, env, clusterName);
+  }
+
   public static String buildDefaultNamespaceTargetId(String appId) {
     return STRING_JOINER.join(appId, ConfigConsts.NAMESPACE_APPLICATION);
   }
diff --git a/apollo-portal/src/main/resources/static/app/manage_cluster.html b/apollo-portal/src/main/resources/static/app/manage_cluster.html
new file mode 100644
index 00000000000..d54245667ad
--- /dev/null
+++ b/apollo-portal/src/main/resources/static/app/manage_cluster.html
@@ -0,0 +1,130 @@
+<!--
+  ~ Copyright 2024 Apollo Authors
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~ http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  ~
+-->
+<!doctype html>
+<html ng-app="manage_cluster">
+
+<head>
+  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+  <link rel="icon" href="../img/config.png">
+  <!-- styles -->
+  <link rel="stylesheet" type="text/css" href="../vendor/bootstrap/css/bootstrap.min.css">
+  <link rel="stylesheet" type="text/css" href="../vendor/angular/angular-toastr-1.4.1.min.css">
+  <link rel="stylesheet" type="text/css" media='all' href="../vendor/angular/loading-bar.min.css">
+  <link rel="stylesheet" type="text/css" href="../styles/common-style.css">
+  <link rel="stylesheet" type="text/css" href="../vendor/select2/select2.min.css">
+  <title>{{'Config.ManageCluster' | translate }}</title>
+</head>
+
+<body>
+
+<apollonav></apollonav>
+
+<div class="container-fluid apollo-container project-setting" ng-controller="ManageClusterController">
+  <section class="col-md-10 col-md-offset-1 panel">
+    <header class="panel-heading">
+      <div class="row">
+        <div class="col-md-9">
+          <h4 class="modal-title">{{'Config.ManageCluster' | translate }} (
+            {{'Common.AppId' | translate }}: <label ng-bind="appId"></label> )
+          </h4>
+        </div>
+        <div class="col-md-3 text-right">
+          <a type="button" class="btn btn-info" data-dismiss="modal"
+             href="{{ '/config.html' | prefixPath }}?#appid={{appId}}">{{'Common.ReturnToIndex' | translate }}
+          </a>
+        </div>
+      </div>
+    </header>
+
+    <div class="panel-body row" >
+
+      <section class="context">
+
+        <!--env-cluster info-->
+        <section ng-repeat="env in envs">
+          <hr>
+          <h4>{{'Common.Environment' | translate }}: {{env.name}}
+          </h4>
+          <section class="panel cluster-info-panel config-item-container" ng-repeat="cluster in env.clusters">
+            <header class="panel-heading">
+              <div class="row">
+                <div class="col-md-6 col-sm-6 header-namespace">
+                  <b class="namespace-name" data-tooltip="tooltip" data-placement="bottom">
+                    {{'Common.Cluster' | translate }}: {{cluster.name}}
+                  </b>
+                </div>
+                <div class="col-md-6 col-sm-6 text-right header-buttons">
+                  <a type="button" class="btn btn-default btn-sm" data-tooltip="tooltip" data-placement="bottom"
+                     title="{{'Cluster.GrantTips' | translate }}"
+                     href="{{ '/cluster/ns_role.html' | prefixPath }}?#/appid={{appId}}&env={{env.name}}&clusterName={{cluster.name}}">
+                    <img src="/img/assign.png">
+                    {{'Cluster.Grant' | translate }}
+                  </a>
+                </div>
+              </div>
+            </header>
+          </section>
+
+        </section>
+      </section>
+
+    </div>
+  </section>
+</div>
+
+<div ng-include="'../views/common/footer.html'"></div>
+
+<!-- jquery.js -->
+<script src="../vendor/jquery.min.js" type="text/javascript"></script>
+
+<!--angular-->
+<script src="../vendor/angular/angular.min.js"></script>
+<script src="../vendor/angular/angular-route.min.js"></script>
+<script src="../vendor/angular/angular-resource.min.js"></script>
+<script src="../vendor/angular/angular-toastr-1.4.1.tpls.min.js"></script>
+<script src="../vendor/angular/loading-bar.min.js"></script>
+<script src="../vendor/angular/angular-cookies.min.js"></script>
+
+<script src="../vendor/angular/angular-translate.2.18.1/angular-translate.min.js"></script>
+<script src="../vendor/angular/angular-translate.2.18.1/angular-translate-loader-static-files.min.js"></script>
+<script src="../vendor/angular/angular-translate.2.18.1/angular-translate-storage-cookie.min.js"></script>
+<!--valdr-->
+<script src="../vendor/valdr/valdr.min.js" type="text/javascript"></script>
+<script src="../vendor/valdr/valdr-message.min.js" type="text/javascript"></script>
+
+<!-- bootstrap.js -->
+<script src="../vendor/bootstrap/js/bootstrap.min.js" type="text/javascript"></script>
+
+<script src="../vendor/lodash.min.js"></script>
+
+<script src="../vendor/select2/select2.min.js" type="text/javascript"></script>
+<!--biz-->
+<!--must import-->
+<script type="application/javascript" src="../scripts/app.js"></script>
+<script type="application/javascript" src="../scripts/services/AppService.js"></script>
+<script type="application/javascript" src="../scripts/services/EnvService.js"></script>
+<script type="application/javascript" src="../scripts/services/UserService.js"></script>
+<script type="application/javascript" src="../scripts/services/CommonService.js"></script>
+<script type="application/javascript" src="../scripts/services/ClusterService.js"></script>
+<script type="application/javascript" src="../scripts/AppUtils.js"></script>
+<script type="application/javascript" src="../scripts/directive/directive.js"></script>
+<script type="application/javascript" src="../scripts/services/PermissionService.js"></script>
+
+<script type="application/javascript" src="../scripts/controller/ManageClusterController.js"></script>
+</body>
+
+</html>
\ No newline at end of file
diff --git a/apollo-portal/src/main/resources/static/cluster/ns_role.html b/apollo-portal/src/main/resources/static/cluster/ns_role.html
new file mode 100644
index 00000000000..5ccf4647d8c
--- /dev/null
+++ b/apollo-portal/src/main/resources/static/cluster/ns_role.html
@@ -0,0 +1,173 @@
+<!--
+  ~ Copyright 2024 Apollo Authors
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~ http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  ~
+-->
+<!doctype html>
+<html ng-app="role">
+
+<head>
+  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+  <link rel="icon" href="../img/config.png">
+  <!-- styles -->
+  <link rel="stylesheet" type="text/css" href="../vendor/bootstrap/css/bootstrap.min.css">
+  <link rel="stylesheet" type="text/css" href="../vendor/angular/angular-toastr-1.4.1.min.css">
+  <link rel="stylesheet" type="text/css" media='all' href="../vendor/angular/loading-bar.min.css">
+  <link rel="stylesheet" type="text/css" href="../styles/common-style.css">
+  <link rel="stylesheet" type="text/css" href="../vendor/select2/select2.min.css">
+  <title>{{'Cluster.Role.Title' | translate }}</title>
+</head>
+
+<body>
+
+<apollonav></apollonav>
+
+<div class="container-fluid apollo-container">
+  <section class="panel col-md-offset-1 col-md-10" ng-controller="ClusterNamespaceRoleController">
+    <header class="panel-heading">
+      <div class="row">
+        <div class="col-md-9">
+          <h4 class="modal-title">
+            {{'Cluster.Role.Title' | translate }}
+            <small>
+              (
+              {{'Common.AppId' | translate }}:
+              <label ng-bind="pageContext.appId"></label>
+              {{'Common.Environment' | translate }}:
+              <label ng-bind="pageContext.env"></label>
+              {{'Common.ClusterName' | translate }}:
+              <label ng-bind="pageContext.clusterName"></label>
+              )
+            </small>
+          </h4>
+        </div>
+        <div class="col-md-3 text-right">
+          <a type="button" class="btn btn-info" data-dismiss="modal"
+             href="{{ '/app/manage_cluster.html' | prefixPath }}?#appid={{pageContext.appId}}">{{'Common.ReturnToManageClusterPage' | translate }}
+          </a>
+        </div>
+      </div>
+    </header>
+    <div class="panel-body" ng-show="hasAssignUserPermission">
+      <div class="row">
+        <div class="form-horizontal">
+          <div class="form-group">
+            <label
+                class="col-sm-2 control-label">{{'Cluster.Role.GrantModifyTo' | translate }}<br><small>{{'Cluster.Role.GrantModifyTo2' | translate }}</small></label>
+            <div class="col-sm-8">
+              <form class="form-inline" ng-submit="assignRoleToUser('ModifyNamespacesInCluster')">
+                <div class="form-group">
+                  <apollouserselector apollo-id="modifyRoleWidgetId"></apollouserselector>
+                </div>
+                <button type="submit" class="btn btn-default" style="margin-left: 20px;"
+                        ng-disabled="modifyRoleSubmitBtnDisabled">{{'Cluster.Role.Add' | translate }}</button>
+              </form>
+              <!-- Split button -->
+              <div class="item-container">
+                <div class="btn-group item-info"
+                     ng-repeat="user in rolesAssignedUsers.modifyRoleUsers">
+                  <button type="button" class="btn btn-default" ng-bind="user.userId"></button>
+                  <button type="button" class="btn btn-default dropdown-toggle"
+                          data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"
+                          ng-click="removeUserRole('ModifyNamespacesInCluster', user.userId)">
+                    <span class="glyphicon glyphicon-remove"></span>
+                  </button>
+                </div>
+              </div>
+            </div>
+          </div>
+        </div>
+        <hr>
+
+        <div class="row" style="margin-top: 10px;">
+          <div class="form-horizontal">
+            <div class="col-sm-2 text-right">
+              <label
+                  class="control-label">{{'Cluster.Role.GrantPublishTo' | translate }}<br><small>{{'Cluster.Role.GrantPublishTo2' | translate }}</small></label>
+            </div>
+            <div class="col-sm-8">
+              <form class="form-inline" ng-submit="assignRoleToUser('ReleaseNamespacesInCluster')">
+                <div class="form-group">
+                  <apollouserselector apollo-id="releaseRoleWidgetId"></apollouserselector>
+                </div>
+                <button type="submit" class="btn btn-default" style="margin-left: 20px;"
+                        ng-disabled="ReleaseRoleSubmitBtnDisabled">{{'Cluster.Role.Add' | translate }}</button>
+              </form>
+              <!-- Split button -->
+              <div class="item-container">
+                <div class="btn-group item-info"
+                     ng-repeat="user in rolesAssignedUsers.releaseRoleUsers">
+                  <button type="button" class="btn btn-default" ng-bind="user.userId"></button>
+                  <button type="button" class="btn btn-default dropdown-toggle"
+                          data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"
+                          ng-click="removeUserRole('ReleaseNamespacesInCluster', user.userId)">
+                    <span class="glyphicon glyphicon-remove"></span>
+                  </button>
+                </div>
+              </div>
+            </div>
+          </div>
+
+        </div>
+
+      </div>
+
+
+    </div>
+    <div class="panel-body text-center" ng-show="!hasAssignUserPermission">
+      <h2>{{'Cluster.Role.NoPermission' | translate }}</h2>
+    </div>
+
+  </section>
+</div>
+
+<div ng-include="'../views/common/footer.html'"></div>
+
+<!-- jquery.js -->
+<script src="../vendor/jquery.min.js" type="text/javascript"></script>
+
+<!--angular-->
+<script src="../vendor/angular/angular.min.js"></script>
+<script src="../vendor/angular/angular-resource.min.js"></script>
+<script src="../vendor/angular/angular-toastr-1.4.1.tpls.min.js"></script>
+<script src="../vendor/angular/loading-bar.min.js"></script>
+<script src="../vendor/angular/angular-cookies.min.js"></script>
+
+<script src="../vendor/angular/angular-translate.2.18.1/angular-translate.min.js"></script>
+<script src="../vendor/angular/angular-translate.2.18.1/angular-translate-loader-static-files.min.js"></script>
+<script src="../vendor/angular/angular-translate.2.18.1/angular-translate-storage-cookie.min.js"></script>
+
+<!-- bootstrap.js -->
+<script src="../vendor/bootstrap/js/bootstrap.min.js" type="text/javascript"></script>
+
+<script src="../vendor/select2/select2.min.js" type="text/javascript"></script>
+
+<!--biz-->
+<!--must import-->
+<script type="application/javascript" src="../scripts/app.js"></script>
+<script type="application/javascript" src="../scripts/services/AppService.js"></script>
+<script type="application/javascript" src="../scripts/services/EnvService.js"></script>
+<script type="application/javascript" src="../scripts/services/UserService.js"></script>
+<script type="application/javascript" src="../scripts/services/CommonService.js"></script>
+<script type="application/javascript" src="../scripts/services/PermissionService.js"></script>
+
+<script type="application/javascript" src="../scripts/AppUtils.js"></script>
+
+<script type="application/javascript" src="../scripts/PageCommon.js"></script>
+<script type="application/javascript" src="../scripts/directive/directive.js"></script>
+
+<script type="application/javascript" src="../scripts/controller/role/ClusterNamespaceRoleController.js"></script>
+</body>
+
+</html>
\ No newline at end of file
diff --git a/apollo-portal/src/main/resources/static/config.html b/apollo-portal/src/main/resources/static/config.html
index cc47fc0c6da..6a15f60f385 100644
--- a/apollo-portal/src/main/resources/static/config.html
+++ b/apollo-portal/src/main/resources/static/config.html
@@ -140,6 +140,10 @@
                                         apollo-img-src="'accesskey-manage'"
                                         apollo-href="'app/access_key.html?#/appid=' + pageContext.appId"></apolloentrance>
 
+                        <apolloentrance apollo-title="'Config.ManageCluster' | translate"
+                                        apollo-img-src="'project-manage'"
+                                        apollo-href="'app/manage_cluster.html?#/appid=' + pageContext.appId"></apolloentrance>
+
                         <a class="list-group-item" ng-show="missEnvs.length > 0" ng-click="createAppInMissEnv()">
                             <div class="row icon-text icon-plus-orange">
                                 <p class="btn-title ng-binding">{{'Config.CreateAppMissEnv' | translate }}</p>
@@ -187,10 +191,6 @@
         <div class="config-item-container hide" ng-class="{'view-mode-1': viewMode == 1, 'view-mode-2': viewMode == 2}"
             ng-controller="ConfigNamespaceController">
 
-            <h4 class="text-center" ng-show="viewMode == 2">
-                {{'Config.CurrentlyOperatorEnv' | translate }}:{{pageContext.env}}，
-                {{'Common.Cluster' | translate }}:{{pageContext.clusterName}}
-            </h4>
             <div class="alert alert-info alert-dismissible" role="alert"
                 ng-show="(!hideTip || !hideTip[pageContext.appId][pageContext.clusterName]) && envMapClusters[pageContext.env]">
 
diff --git a/apollo-portal/src/main/resources/static/i18n/en.json b/apollo-portal/src/main/resources/static/i18n/en.json
index f1dfca0b78a..d72d12336dc 100644
--- a/apollo-portal/src/main/resources/static/i18n/en.json
+++ b/apollo-portal/src/main/resources/static/i18n/en.json
@@ -35,6 +35,7 @@
   "Common.Deleted": "Delete Successfully",
   "Common.DeleteFailed": "Fail to Delete",
   "Common.ReturnToIndex": "Return to project page",
+  "Common.ReturnToManageClusterPage": "Return to manage cluster page",
   "Common.Cancel": "Cancel",
   "Common.Ok": "OK",
   "Common.Search": "Query",
@@ -361,6 +362,15 @@
   "Cluster.ClusterCreated": "Create cluster successfully",
   "Cluster.ClusterCreateFailed": "Failed to create cluster",
   "Cluster.PleaseChooseEnvironment": "Please select the environment",
+  "Cluster.Grant": "Authorize",
+  "Cluster.GrantTips": "Manage the configuration edit and release permission",
+  "Cluster.Role.Title": "Cluster Permission Management",
+  "Cluster.Role.GrantModifyTo": "Permission to edit",
+  "Cluster.Role.GrantModifyTo2": "(Can edit the configuration)",
+  "Cluster.Role.GrantPublishTo": "Permission to release",
+  "Cluster.Role.GrantPublishTo2": "(Can release the configuration)",
+  "Cluster.Role.Add": "Add",
+  "Cluster.Role.NoPermission": "You do not have permission!",
   "Config.Title": "Apollo Configuration Center",
   "Config.AppIdNotFound": "doesn't exist, ",
   "Config.ClickByCreate": "click to create",
@@ -446,6 +456,14 @@
   "Config.SortByKey": "Filter Config by Key",
   "Config.FilterConfig": "Filter",
   "Config.Reset": "Reset",
+  "Config.ManageCluster": "Manage Cluster",
+  "Cluster.Role.InitClusterPermissionError": "Error initializing authorization",
+  "Cluster.Role.GetGrantUserError": "Failed to load authorized users",
+  "Cluster.Role.PleaseChooseUser": "Please select the user",
+  "Cluster.Role.Added": "Add Successfully",
+  "Cluster.Role.AddFailed": "Failed to add",
+  "Cluster.Role.Deleted": "Delete Successfully",
+  "Cluster.Role.DeleteFailed": "Failed to Delete",
   "Delete.Title": "Delete applications, clusters, AppNamespace",
   "Delete.DeleteApp": "Delete application",
   "Delete.DeleteAppTips": "(Because deleting applications has very large impacts, only system administrators are allowed to delete them for the time being. Make sure that no client fetches the configuration of the application before deleting it.)",
diff --git a/apollo-portal/src/main/resources/static/i18n/zh-CN.json b/apollo-portal/src/main/resources/static/i18n/zh-CN.json
index d6fbd3ce87b..b78caa7a541 100644
--- a/apollo-portal/src/main/resources/static/i18n/zh-CN.json
+++ b/apollo-portal/src/main/resources/static/i18n/zh-CN.json
@@ -35,6 +35,7 @@
   "Common.Deleted": "删除成功",
   "Common.DeleteFailed": "删除失败",
   "Common.ReturnToIndex": "返回到应用首页",
+  "Common.ReturnToManageClusterPage": "返回到管理集群页面",
   "Common.Cancel": "取消",
   "Common.Ok": "确定",
   "Common.Search": "查询",
@@ -361,6 +362,22 @@
   "Cluster.ClusterCreated": "集群创建成功",
   "Cluster.ClusterCreateFailed": "集群创建失败",
   "Cluster.PleaseChooseEnvironment": "请选择环境",
+  "Cluster.Grant": "授权",
+  "Cluster.GrantTips": "配置修改、发布权限",
+  "Cluster.Role.Title": "集群权限管理",
+  "Cluster.Role.GrantModifyTo": "修改权",
+  "Cluster.Role.GrantModifyTo2": "（可以修改配置）",
+  "Cluster.Role.GrantPublishTo": "发布权",
+  "Cluster.Role.GrantPublishTo2": "（可以发布配置）",
+  "Cluster.Role.Add": "添加",
+  "Cluster.Role.NoPermission": "您没有权限哟!",
+  "Cluster.Role.InitClusterPermissionError": "初始化授权出错",
+  "Cluster.Role.GetGrantUserError": "加载授权用户出错",
+  "Cluster.Role.PleaseChooseUser": "请选择用户",
+  "Cluster.Role.Added": "添加成功",
+  "Cluster.Role.AddFailed": "添加失败",
+  "Cluster.Role.Deleted": "删除成功",
+  "Cluster.Role.DeleteFailed": "删除失败",
   "Config.Title": "Apollo 配置中心",
   "Config.AppIdNotFound": "不存在，",
   "Config.ClickByCreate": "点击创建",
@@ -446,6 +463,7 @@
   "Config.SortByKey": "按Key值过滤",
   "Config.FilterConfig": "过滤配置",
   "Config.Reset": "重置",
+  "Config.ManageCluster": "管理集群",
   "Delete.Title": "删除应用、集群、AppNamespace",
   "Delete.DeleteApp": "删除应用",
   "Delete.DeleteAppTips": "（由于删除应用影响面较大，所以现在暂时只允许系统管理员删除，请确保没有客户端读取该应用的配置后再做删除动作）",
diff --git a/apollo-portal/src/main/resources/static/scripts/app.js b/apollo-portal/src/main/resources/static/scripts/app.js
index 88ecb81e522..f133b6f59d1 100644
--- a/apollo-portal/src/main/resources/static/scripts/app.js
+++ b/apollo-portal/src/main/resources/static/scripts/app.js
@@ -72,6 +72,8 @@ var setting_module = angular.module('setting', ['app.service', 'apollo.directive
 var role_module = angular.module('role', ['app.service', 'apollo.directive', 'app.util', 'toastr', 'angular-loading-bar']);
 //cluster
 var cluster_module = angular.module('cluster', ['app.service', 'apollo.directive', 'app.util', 'toastr', 'angular-loading-bar', 'valdr']);
+//manage_cluster
+var manage_cluster_module = angular.module('manage_cluster', ['app.service', 'apollo.directive', 'app.util', 'toastr', 'angular-loading-bar', 'valdr']);
 //release history
 var release_history_module = angular.module('release_history', ['app.service', 'apollo.directive', 'app.util', 'toastr', 'angular-loading-bar']);
 //open manage
diff --git a/apollo-portal/src/main/resources/static/scripts/controller/ManageClusterController.js b/apollo-portal/src/main/resources/static/scripts/controller/ManageClusterController.js
new file mode 100644
index 00000000000..7656bf3aa93
--- /dev/null
+++ b/apollo-portal/src/main/resources/static/scripts/controller/ManageClusterController.js
@@ -0,0 +1,47 @@
+/*
+ * Copyright 2024 Apollo Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+manage_cluster_module.controller('ManageClusterController',
+    ['$scope', '$location', '$window', '$translate', 'toastr', 'AppService', 'EnvService', 'ClusterService',
+      'AppUtil',
+      function ($scope, $location, $window, $translate, toastr, AppService, EnvService, ClusterService,
+          AppUtil) {
+
+        var params = AppUtil.parseParams($location.$$url);
+        $scope.appId = params.appid;
+
+        $scope.envs = [];
+
+        function loadClusters() {
+          AppService.load_nav_tree($scope.appId).then(function (result) {
+            var nodes = AppUtil.collectData(result);
+            if (!nodes || nodes.length == 0) {
+              toastr.error($translate.instant('Config.SystemError'));
+              return;
+            }
+            nodes.forEach(function (node) {
+              $scope.envs.push({ name: node.env, clusters: node.clusters });
+            });
+            console.log($scope.envs);
+          });
+
+        }
+
+        loadClusters();
+
+      }
+    ]
+);
diff --git a/apollo-portal/src/main/resources/static/scripts/controller/role/ClusterNamespaceRoleController.js b/apollo-portal/src/main/resources/static/scripts/controller/role/ClusterNamespaceRoleController.js
new file mode 100644
index 00000000000..7489d803248
--- /dev/null
+++ b/apollo-portal/src/main/resources/static/scripts/controller/role/ClusterNamespaceRoleController.js
@@ -0,0 +1,166 @@
+/*
+ * Copyright 2024 Apollo Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+role_module.controller('ClusterNamespaceRoleController',
+    ['$scope', '$location', '$window', '$translate', 'toastr', 'AppService', 'UserService', 'AppUtil', 'EnvService',
+      'PermissionService',
+      function ($scope, $location, $window, $translate, toastr, AppService, UserService, AppUtil, EnvService,
+          PermissionService) {
+
+        var params = AppUtil.parseParams($location.$$url);
+        $scope.pageContext = {
+          appId: params.appid,
+          env: params.env,
+          clusterName: params.clusterName
+        };
+
+        $scope.modifyRoleSubmitBtnDisabled = false;
+        $scope.releaseRoleSubmitBtnDisabled = false;
+
+        $scope.releaseRoleWidgetId = 'releaseRoleWidgetId';
+        $scope.modifyRoleWidgetId = 'modifyRoleWidgetId';
+
+        PermissionService.init_cluster_ns_permission($scope.pageContext.appId, $scope.pageContext.env, $scope.pageContext.clusterName)
+        .then(function (result) {
+
+        }, function (result) {
+          toastr.warning(AppUtil.errorMsg(result), $translate.instant('Cluster.Role.InitClusterPermissionError'));
+        });
+
+        PermissionService.has_assign_user_permission($scope.pageContext.appId)
+        .then(function (result) {
+          $scope.hasAssignUserPermission = result.hasPermission;
+        }, function (result) {
+
+        });
+
+        PermissionService.get_cluster_ns_role_users($scope.pageContext.appId,
+            $scope.pageContext.env, $scope.pageContext.clusterName)
+        .then(function (result) {
+          $scope.rolesAssignedUsers = result;
+        }, function (result) {
+          toastr.error(AppUtil.errorMsg(result), $translate.instant('Cluster.Role.GetGrantUserError'));
+        });
+
+        $scope.assignRoleToUser = function (roleType) {
+          if ("ReleaseNamespacesInCluster" === roleType) {
+            var user = $('.' + $scope.releaseRoleWidgetId).select2('data')[0];
+            if (!user) {
+              toastr.warning($translate.instant('Cluster.Role.PleaseChooseUser'));
+              return;
+            }
+            $scope.releaseRoleSubmitBtnDisabled = true;
+            var toAssignReleaseNamespacesInClusterRoleUser = user.id;
+
+            var assignReleaseNamespacesInClusterRoleFunc = function (appId, env, clusterName, user) {
+              return PermissionService.assign_release_cluster_ns_role(appId, env, clusterName, user);
+            };
+
+            assignReleaseNamespacesInClusterRoleFunc(
+                $scope.pageContext.appId,
+                $scope.pageContext.env,
+                $scope.pageContext.clusterName,
+                toAssignReleaseNamespacesInClusterRoleUser
+            ).then(function () {
+              toastr.success($translate.instant('Cluster.Role.Added'));
+              $scope.releaseRoleSubmitBtnDisabled = false;
+              $scope.rolesAssignedUsers.releaseRoleUsers.push({ userId: toAssignReleaseNamespacesInClusterRoleUser });
+
+              $('.' + $scope.releaseRoleWidgetId).select2("val", "");
+            }, function (result) {
+              $scope.releaseRoleSubmitBtnDisabled = false;
+              toastr.error(AppUtil.errorMsg(result), $translate.instant('Cluster.Role.AddFailed'));
+            });
+          } else if ("ModifyNamespacesInCluster" === roleType) {
+            var user1 = $('.' + $scope.modifyRoleWidgetId).select2('data')[0];
+            if (!user1) {
+              toastr.warning($translate.instant('Cluster.Role.PleaseChooseUser'));
+              return;
+            }
+            $scope.modifyRoleSubmitBtnDisabled = true;
+            var toAssignModifyNamespacesInClusterRoleUser = user1.id;
+
+            var assignModifyNamespacesInClusterRoleFunc = function (appId, env, clusterName, user) {
+              return PermissionService.assign_modify_cluster_ns_role(appId, env, clusterName, user);
+            };
+
+            assignModifyNamespacesInClusterRoleFunc(
+                $scope.pageContext.appId,
+                $scope.pageContext.env,
+                $scope.pageContext.clusterName,
+                toAssignModifyNamespacesInClusterRoleUser
+            ).then(function () {
+              toastr.success($translate.instant('Cluster.Role.Added'));
+              $scope.modifyRoleSubmitBtnDisabled = false;
+              $scope.rolesAssignedUsers.modifyRoleUsers.push({ userId: toAssignModifyNamespacesInClusterRoleUser });
+
+              $('.' + $scope.modifyRoleWidgetId).select2("val", "");
+            }, function (result) {
+              $scope.modifyRoleSubmitBtnDisabled = false;
+              toastr.error(AppUtil.errorMsg(result), $translate.instant('Cluster.Role.AddFailed'));
+            });
+          }
+        };
+
+        $scope.removeUserRole = function (roleType, user) {
+          if ("ReleaseNamespacesInCluster" === roleType) {
+            var removeReleaseNamespacesInClusterRoleFunc = function (appId, env, clusterName, user) {
+              return PermissionService.remove_release_cluster_ns_role(appId, env, clusterName, user);
+            };
+            removeReleaseNamespacesInClusterRoleFunc(
+                $scope.pageContext.appId,
+                $scope.pageContext.env,
+                $scope.pageContext.clusterName,
+                user
+            ).then(function () {
+              toastr.success($translate.instant('Cluster.Role.Deleted'));
+              removeUserFromList($scope.rolesAssignedUsers.releaseRoleUsers, user);
+            }, function (result) {
+              toastr.error(AppUtil.errorMsg(result), $translate.instant('Namespace.Role.DeleteFailed'));
+            });
+          } else if ("ModifyNamespacesInCluster" === roleType) {
+            var removeModifyNamespacesInClusterRoleFunc = function (appId, env, clusterName, user) {
+              return PermissionService.remove_modify_cluster_ns_role(appId, env, clusterName, user);
+            };
+
+            removeModifyNamespacesInClusterRoleFunc(
+                $scope.pageContext.appId,
+                $scope.pageContext.env,
+                $scope.pageContext.clusterName,
+                user
+            ).then(function () {
+              toastr.success($translate.instant('Cluster.Role.Deleted'));
+              removeUserFromList($scope.rolesAssignedUsers.modifyRoleUsers, user);
+            }, function (result) {
+              toastr.error(AppUtil.errorMsg(result), $translate.instant('Cluster.Role.DeleteFailed'));
+            });
+          }
+        };
+
+        function removeUserFromList(list, user) {
+          var index = 0;
+          for (var i = 0; i < list.length; i++) {
+            if (list[i].userId === user) {
+              index = i;
+              break;
+            }
+          }
+          list.splice(index, 1);
+        }
+
+
+
+      }]);
diff --git a/apollo-portal/src/main/resources/static/scripts/directive/namespace-panel-directive.js b/apollo-portal/src/main/resources/static/scripts/directive/namespace-panel-directive.js
index ea811ce34a7..60904deef56 100644
--- a/apollo-portal/src/main/resources/static/scripts/directive/namespace-panel-directive.js
+++ b/apollo-portal/src/main/resources/static/scripts/directive/namespace-panel-directive.js
@@ -277,21 +277,34 @@ function directive($window, $translate, toastr, AppUtil, EventManager, Permissio
                                 )
                                     .then(function (result) {
                                         //branch has same permission
-                                        namespace.hasModifyPermission = result.hasPermission;
+                                        namespace.hasModifyPermission = namespace.hasModifyPermission || result.hasPermission;
                                         if (namespace.branch) {
-                                            namespace.branch.hasModifyPermission = result.hasPermission;
+                                            namespace.branch.hasModifyPermission = namespace.branch.hasModifyPermission || result.hasPermission;
                                         }
                                     });
                             }
                             else {
                                 //branch has same permission
-                                namespace.hasModifyPermission = result.hasPermission;
+                                namespace.hasModifyPermission = namespace.hasModifyPermission || result.hasPermission;
                                 if (namespace.branch) {
-                                    namespace.branch.hasModifyPermission = result.hasPermission;
+                                    namespace.branch.hasModifyPermission = namespace.branch.hasModifyPermission || result.hasPermission;
                                 }
                             }
                         });
 
+                    PermissionService.has_modify_cluster_ns_permission(
+                        scope.appId,
+                        scope.env,
+                        scope.cluster
+                    ).then(function (result) {
+                        if (result.hasPermission) {
+                            namespace.hasModifyPermission = namespace.hasModifyPermission || result.hasPermission;
+                            if (namespace.branch) {
+                                namespace.branch.hasModifyPermission = namespace.branch.hasModifyPermission || result.hasPermission;
+                            }
+                        }
+                    });
+
                     PermissionService.has_release_namespace_permission(
                         scope.appId,
                         namespace.baseInfo.namespaceName)
@@ -304,20 +317,34 @@ function directive($window, $translate, toastr, AppUtil, EventManager, Permissio
                                 )
                                     .then(function (result) {
                                         //branch has same permission
-                                        namespace.hasReleasePermission = result.hasPermission;
+                                        namespace.hasReleasePermission ||= result.hasPermission;
                                         if (namespace.branch) {
-                                            namespace.branch.hasReleasePermission = result.hasPermission;
+                                            namespace.branch.hasReleasePermission ||= result.hasPermission;
                                         }
                                     });
                             }
                             else {
                                 //branch has same permission
-                                namespace.hasReleasePermission = result.hasPermission;
+                                namespace.hasReleasePermission ||= result.hasPermission;
                                 if (namespace.branch) {
-                                    namespace.branch.hasReleasePermission = result.hasPermission;
+                                    namespace.branch.hasReleasePermission ||= result.hasPermission;
                                 }
                             }
                         });
+
+                    PermissionService.has_release_cluster_ns_permission(
+                        scope.appId,
+                        scope.env,
+                        scope.cluster
+                    ).then(function (result) {
+                        if (result.hasPermission) {
+                            namespace.hasReleasePermission ||= result.hasPermission;
+                            if (namespace.branch) {
+                                namespace.branch.hasReleasePermission ||= result.hasPermission;
+                            }
+                        }
+                    });
+
                 }
 
                 function initLinkedNamespace(namespace) {
diff --git a/apollo-portal/src/main/resources/static/scripts/services/PermissionService.js b/apollo-portal/src/main/resources/static/scripts/services/PermissionService.js
index 6816c53eedb..ce841232d12 100644
--- a/apollo-portal/src/main/resources/static/scripts/services/PermissionService.js
+++ b/apollo-portal/src/main/resources/static/scripts/services/PermissionService.js
@@ -23,6 +23,13 @@ appService.service('PermissionService', ['$resource', '$q', 'AppUtil', function
                  'Content-Type': 'text/plain;charset=UTF-8'
             }
         },
+        init_cluster_ns_permission: {
+            method: 'POST',
+            url: AppUtil.prefixPath() + '/apps/:appId/envs/:env/clusters/:clusterName/initNsPermission',
+            headers: {
+                 'Content-Type': 'text/plain;charset=UTF-8'
+            }
+        },
         has_app_permission: {
             method: 'GET',
             url: AppUtil.prefixPath() + '/apps/:appId/permissions/:permissionType'
@@ -35,6 +42,10 @@ appService.service('PermissionService', ['$resource', '$q', 'AppUtil', function
             method: 'GET',
             url: AppUtil.prefixPath() + '/apps/:appId/envs/:env/namespaces/:namespaceName/permissions/:permissionType'
         },
+        has_cluster_ns_permission: {
+            method: 'GET',
+            url: AppUtil.prefixPath() + '/apps/:appId/envs/:env/clusters/:clusterName/ns_permissions/:permissionType'
+        },
         has_root_permission:{
             method: 'GET',
             url: AppUtil.prefixPath() + '/permissions/root'
@@ -87,6 +98,21 @@ appService.service('PermissionService', ['$resource', '$q', 'AppUtil', function
         has_open_manage_app_master_role_limit: {
             method: 'GET',
             url: AppUtil.prefixPath() + '/system/role/manageAppMaster'
+        },
+        get_cluster_ns_role_users: {
+            method: 'GET',
+            url: AppUtil.prefixPath() + '/apps/:appId/envs/:env/clusters/:clusterName/ns_role_users'
+        },
+        assign_cluster_ns_role_to_user: {
+            method: 'POST',
+            url: AppUtil.prefixPath() + '/apps/:appId/envs/:env/clusters/:clusterName/ns_roles/:roleType',
+            headers: {
+                 'Content-Type': 'text/plain;charset=UTF-8'
+            }
+        },
+        remove_cluster_ns_role_from_user: {
+            method: 'DELETE',
+            url: AppUtil.prefixPath() + '/apps/:appId/envs/:env/clusters/:clusterName/ns_roles/:roleType?user=:user'
         }
     });
 
@@ -103,6 +129,21 @@ appService.service('PermissionService', ['$resource', '$q', 'AppUtil', function
         return d.promise;
     }
 
+    function initClusterNsPermission(appId, env, clusterName) {
+        var d = $q.defer();
+        permission_resource.init_cluster_ns_permission({
+                appId: appId,
+                env: env,
+                clusterName: clusterName
+            }, {},
+            function (result) {
+                d.resolve(result);
+            }, function (result) {
+                d.reject(result);
+            });
+        return d.promise;
+    }
+
     function hasAppPermission(appId, permissionType) {
         var d = $q.defer();
         permission_resource.has_app_permission({
@@ -148,6 +189,22 @@ appService.service('PermissionService', ['$resource', '$q', 'AppUtil', function
         return d.promise;
     }
 
+    function hasClusterNsPermission(appId, env, clusterName, permissionType) {
+        var d = $q.defer();
+        permission_resource.has_cluster_ns_permission({
+                appId: appId,
+                env: env,
+                clusterName: clusterName,
+                permissionType: permissionType
+            },
+            function (result) {
+                d.resolve(result);
+            }, function (result) {
+                d.reject(result);
+            });
+        return d.promise;
+    }
+
     function assignNamespaceRoleToUser(appId, namespaceName, roleType, user) {
         var d = $q.defer();
         permission_resource.assign_namespace_role_to_user({
@@ -212,10 +269,46 @@ appService.service('PermissionService', ['$resource', '$q', 'AppUtil', function
         return d.promise;
     }
 
+    function assignClusterNsRoleToUser(appId, env, clusterName, roleType, user) {
+        var d = $q.defer();
+        permission_resource.assign_cluster_ns_role_to_user({
+                appId: appId,
+                env: env,
+                clusterName: clusterName,
+                roleType: roleType
+            }, user,
+            function (result) {
+                d.resolve(result);
+            }, function (result) {
+                d.reject(result);
+            });
+        return d.promise;
+    }
+
+    function removeClusterNsRoleFromUser(appId, env, clusterName, roleType, user) {
+        var d = $q.defer();
+        permission_resource.remove_cluster_ns_role_from_user({
+                appId: appId,
+                env: env,
+                clusterName: clusterName,
+                roleType: roleType,
+                user: user
+            },
+            function (result) {
+                d.resolve(result);
+            }, function (result) {
+                d.reject(result);
+            });
+        return d.promise;
+    }
+
     return {
         init_app_namespace_permission: function (appId, namespace) {
             return initAppNamespacePermission(appId, namespace);
         },
+        init_cluster_ns_permission: function (appId, env, clusterName) {
+            return initClusterNsPermission(appId, env, clusterName);
+        },
         has_manage_app_master_permission: function (appId) {
             return hasAppPermission(appId, 'ManageAppMaster');
         },
@@ -351,6 +444,35 @@ appService.service('PermissionService', ['$resource', '$q', 'AppUtil', function
                     d.reject(result);
                 });
             return d.promise;
-        }
+        },
+        has_modify_cluster_ns_permission: function (appId, env, clusterName) {
+            return hasClusterNsPermission(appId, env, clusterName, 'ModifyNamespacesInCluster');
+        },
+        has_release_cluster_ns_permission: function (appId, env, clusterName) {
+            return hasClusterNsPermission(appId, env, clusterName, 'ReleaseNamespacesInCluster');
+        },
+        get_cluster_ns_role_users: function (appId, env, clusterName) {
+            var d = $q.defer();
+            permission_resource.get_cluster_ns_role_users({
+                appId: appId, env: env, clusterName: clusterName
+            }, function (result) {
+                d.resolve(result);
+            }, function (result) {
+                d.reject(result);
+            });
+            return d.promise;
+        },
+        assign_modify_cluster_ns_role: function (appId, env, clusterName, user) {
+            return assignClusterNsRoleToUser(appId, env, clusterName, 'ModifyNamespacesInCluster', user);
+        },
+        assign_release_cluster_ns_role: function (appId, env, clusterName, user) {
+            return assignClusterNsRoleToUser(appId, env, clusterName, 'ReleaseNamespacesInCluster', user);
+        },
+        remove_modify_cluster_ns_role: function (appId, env, clusterName, user) {
+            return removeClusterNsRoleFromUser(appId, env, clusterName, 'ModifyNamespacesInCluster', user);
+        },
+        remove_release_cluster_ns_role: function (appId, env, clusterName, user) {
+            return removeClusterNsRoleFromUser(appId, env, clusterName, 'ReleaseNamespacesInCluster', user);
+        },
     }
 }]);
diff --git a/apollo-portal/src/main/resources/static/styles/common-style.css b/apollo-portal/src/main/resources/static/styles/common-style.css
index 350026705d0..69672a3635c 100644
--- a/apollo-portal/src/main/resources/static/styles/common-style.css
+++ b/apollo-portal/src/main/resources/static/styles/common-style.css
@@ -1189,4 +1189,8 @@ table th {
 
 .block {
     display: block;
+}
+
+.cluster-info-panel {
+    margin: 20px 0px;
 }
\ No newline at end of file
diff --git a/apollo-portal/src/test/java/com/ctrip/framework/apollo/ControllableAuthorizationConfiguration.java b/apollo-portal/src/test/java/com/ctrip/framework/apollo/ControllableAuthorizationConfiguration.java
new file mode 100644
index 00000000000..4e0f4e612de
--- /dev/null
+++ b/apollo-portal/src/test/java/com/ctrip/framework/apollo/ControllableAuthorizationConfiguration.java
@@ -0,0 +1,54 @@
+/*
+ * Copyright 2024 Apollo Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package com.ctrip.framework.apollo;
+
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.when;
+
+import com.ctrip.framework.apollo.portal.service.ItemService;
+import com.ctrip.framework.apollo.portal.service.RolePermissionService;
+import com.ctrip.framework.apollo.portal.spi.UserInfoHolder;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Primary;
+
+@Configuration
+public class ControllableAuthorizationConfiguration {
+
+  @Primary
+  @Bean
+  public UserInfoHolder userInfoHolder() {
+    return mock(UserInfoHolder.class);
+  }
+
+  @Primary
+  @Bean
+  public RolePermissionService rolePermissionService() {
+    final RolePermissionService mock = mock(RolePermissionService.class);
+    when(mock.userHasPermission(eq("luke"), any(), any())).thenReturn(true);
+    return mock;
+  }
+
+  @Primary
+  @Bean
+  public ItemService itemService() {
+    return mock(ItemService.class);
+  }
+
+}
diff --git a/apollo-portal/src/test/java/com/ctrip/framework/apollo/SkipAuthorizationConfiguration.java b/apollo-portal/src/test/java/com/ctrip/framework/apollo/SkipAuthorizationConfiguration.java
index 631f1b77b5b..1cba3858b5d 100644
--- a/apollo-portal/src/test/java/com/ctrip/framework/apollo/SkipAuthorizationConfiguration.java
+++ b/apollo-portal/src/test/java/com/ctrip/framework/apollo/SkipAuthorizationConfiguration.java
@@ -65,6 +65,7 @@ public ConsumerAuthUtil consumerAuthUtil() {
   public PermissionValidator permissionValidator() {
     final PermissionValidator mock = mock(PermissionValidator.class);
     when(mock.isSuperAdmin()).thenReturn(true);
+    when(mock.hasAssignRolePermission(any())).thenReturn(true);
     return mock;
   }
 }
diff --git a/apollo-portal/src/test/java/com/ctrip/framework/apollo/portal/controller/ItemControllerAuthIntegrationTest.java b/apollo-portal/src/test/java/com/ctrip/framework/apollo/portal/controller/ItemControllerAuthIntegrationTest.java
new file mode 100644
index 00000000000..05cbbcb700b
--- /dev/null
+++ b/apollo-portal/src/test/java/com/ctrip/framework/apollo/portal/controller/ItemControllerAuthIntegrationTest.java
@@ -0,0 +1,126 @@
+/*
+ * Copyright 2024 Apollo Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package com.ctrip.framework.apollo.portal.controller;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+import static org.mockito.Mockito.any;
+import static org.mockito.Mockito.eq;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+import com.ctrip.framework.apollo.ControllableAuthorizationConfiguration;
+import com.ctrip.framework.apollo.common.dto.ItemDTO;
+import com.ctrip.framework.apollo.portal.PortalApplication;
+import com.ctrip.framework.apollo.portal.entity.bo.UserInfo;
+import com.ctrip.framework.apollo.portal.environment.Env;
+import com.ctrip.framework.apollo.portal.service.ItemService;
+import com.ctrip.framework.apollo.portal.spi.UserInfoHolder;
+import com.google.gson.Gson;
+import javax.annotation.PostConstruct;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.context.SpringBootTest.WebEnvironment;
+import org.springframework.boot.test.web.client.TestRestTemplate;
+import org.springframework.http.HttpEntity;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpStatus;
+import org.springframework.test.context.jdbc.Sql;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
+import org.springframework.web.client.DefaultResponseErrorHandler;
+import org.springframework.web.client.HttpClientErrorException;
+import org.springframework.web.client.RestTemplate;
+
+@RunWith(SpringJUnit4ClassRunner.class)
+@SpringBootTest(classes = {PortalApplication.class,
+    ControllableAuthorizationConfiguration.class}, webEnvironment = WebEnvironment.RANDOM_PORT)
+public class ItemControllerAuthIntegrationTest {
+
+  private final Gson GSON = new Gson();
+  private final String appId = "testApp";
+  private final String env = "LOCAL";
+  private final String clusterName = "default";
+  private final String namespaceName = "application";
+  private final ItemDTO itemDTO = new ItemDTO("testKey", "testValue", "testComment", 1);
+  protected RestTemplate restTemplate = (new TestRestTemplate()).getRestTemplate();
+
+  @Value("${local.server.port}")
+  int port;
+  @Autowired
+  private UserInfoHolder userInfoHolder;
+  @Autowired
+  private ItemService itemService;
+
+  @PostConstruct
+  private void postConstruct() {
+    System.setProperty("spring.profiles.active", "test");
+    restTemplate.setErrorHandler(new DefaultResponseErrorHandler());
+  }
+
+  protected String url(String path) {
+    return "http://localhost:" + port + path;
+  }
+
+  /**
+   * Test cluster permission denied.
+   */
+  @Test
+  public void testCreateItemPermissionDenied() {
+    setUserId("xxx");
+    try {
+      HttpHeaders headers = new HttpHeaders();
+      headers.set("Content-Type", "application/json");
+
+      HttpEntity<String> entity = new HttpEntity<>(GSON.toJson(itemDTO), headers);
+
+      restTemplate.postForEntity(
+          url("/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/item"),
+          entity, String.class, appId, env, clusterName, namespaceName);
+
+      fail("should throw");
+    } catch (final HttpClientErrorException e) {
+      assertEquals(HttpStatus.FORBIDDEN, e.getStatusCode());
+    }
+  }
+
+  @Test
+  @Sql(scripts = "/sql/cleanup.sql", executionPhase = Sql.ExecutionPhase.AFTER_TEST_METHOD)
+  public void testCreateItemPermissionAccessed() {
+    setUserId("luke");
+    HttpHeaders headers = new HttpHeaders();
+    headers.set("Content-Type", "application/json");
+
+    HttpEntity<String> entity = new HttpEntity<>(GSON.toJson(itemDTO), headers);
+
+    restTemplate.postForEntity(
+        url("/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/item"),
+        entity, String.class, appId, env, clusterName, namespaceName);
+
+    // Verify that the createItem method was called with the correct parameters
+    verify(itemService).createItem(eq(appId), eq(Env.valueOf(env)), eq(clusterName),
+        eq(namespaceName), any(ItemDTO.class));
+  }
+
+  void setUserId(String userId) {
+    UserInfo userInfo = new UserInfo();
+    userInfo.setUserId(userId);
+    when(userInfoHolder.getUser()).thenReturn(userInfo);
+  }
+}
\ No newline at end of file
diff --git a/apollo-portal/src/test/java/com/ctrip/framework/apollo/portal/controller/PermissionControllerTest.java b/apollo-portal/src/test/java/com/ctrip/framework/apollo/portal/controller/PermissionControllerTest.java
new file mode 100644
index 00000000000..3f0436f00f5
--- /dev/null
+++ b/apollo-portal/src/test/java/com/ctrip/framework/apollo/portal/controller/PermissionControllerTest.java
@@ -0,0 +1,107 @@
+/*
+ * Copyright 2024 Apollo Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package com.ctrip.framework.apollo.portal.controller;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+
+import com.ctrip.framework.apollo.portal.AbstractIntegrationTest;
+import com.ctrip.framework.apollo.portal.entity.vo.ClusterNamespaceRolesAssignedUsers;
+import com.ctrip.framework.apollo.portal.service.RoleInitializationService;
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpEntity;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.ResponseEntity;
+import org.springframework.test.context.ActiveProfiles;
+import org.springframework.test.context.jdbc.Sql;
+
+@ActiveProfiles("skipAuthorization")
+public class PermissionControllerTest extends AbstractIntegrationTest {
+
+  private final String appId = "testApp";
+  private final String env = "LOCAL";
+  private final String clusterName = "testCluster";
+  private final String roleType = "ModifyNamespacesInCluster";
+  private final String user = "apollo";
+
+  @Autowired
+  RoleInitializationService roleInitializationService;
+
+  @Before
+  public void setUp() {
+    roleInitializationService.initClusterNamespaceRoles(appId, env, clusterName, "apollo");
+  }
+
+  @Test
+  @Sql(scripts = "/sql/cleanup.sql", executionPhase = Sql.ExecutionPhase.AFTER_TEST_METHOD)
+  public void testClusterNamespaceRoleLifeCycle() {
+
+    HttpHeaders headers = new HttpHeaders();
+    headers.set("Content-Type", "application/json");
+    HttpEntity<String> entity = new HttpEntity<>(user, headers);
+
+    // check role not assigned
+    ResponseEntity<ClusterNamespaceRolesAssignedUsers> beforeAssign = restTemplate.getForEntity(
+        url("/apps/{appId}/envs/{env}/clusters/{clusterName}/ns_role_users"),
+        ClusterNamespaceRolesAssignedUsers.class, appId, env, clusterName);
+    assertEquals(200, beforeAssign.getStatusCodeValue());
+    ClusterNamespaceRolesAssignedUsers body = beforeAssign.getBody();
+    assertNotNull(body);
+    assertEquals(appId, body.getAppId());
+    assertEquals(env, body.getEnv());
+    assertEquals(clusterName, body.getCluster());
+    assertTrue(body.getModifyRoleUsers() == null || body.getModifyRoleUsers().isEmpty());
+
+    // assign role to user
+    restTemplate.postForEntity(
+        url("/apps/{appId}/envs/{env}/clusters/{clusterName}/ns_roles/{roleType}"), entity, Void.class,
+        appId, env, clusterName, roleType);
+
+    // check role assigned
+    ResponseEntity<ClusterNamespaceRolesAssignedUsers> afterAssign = restTemplate.getForEntity(
+        url("/apps/{appId}/envs/{env}/clusters/{clusterName}/ns_role_users"),
+        ClusterNamespaceRolesAssignedUsers.class, appId, env, clusterName);
+    assertEquals(200, afterAssign.getStatusCodeValue());
+    body = afterAssign.getBody();
+    assertNotNull(body);
+    assertEquals(appId, body.getAppId());
+    assertEquals(env, body.getEnv());
+    assertEquals(clusterName, body.getCluster());
+    assertTrue(
+        body.getModifyRoleUsers().stream().anyMatch(userInfo -> userInfo.getUserId().equals(user)));
+
+    // remove role from user
+    restTemplate.delete(
+        url("/apps/{appId}/envs/{env}/clusters/{clusterName}/ns_roles/{roleType}?user={user}"), appId,
+        env, clusterName, roleType, user);
+
+    // check role removed
+    ResponseEntity<ClusterNamespaceRolesAssignedUsers> afterRemove = restTemplate.getForEntity(
+        url("/apps/{appId}/envs/{env}/clusters/{clusterName}/ns_role_users"),
+        ClusterNamespaceRolesAssignedUsers.class, appId, env, clusterName);
+    assertEquals(200, afterRemove.getStatusCodeValue());
+    body = afterRemove.getBody();
+    assertNotNull(body);
+    assertEquals(appId, body.getAppId());
+    assertEquals(env, body.getEnv());
+    assertEquals(clusterName, body.getCluster());
+    assertTrue(body.getModifyRoleUsers() == null || body.getModifyRoleUsers().isEmpty());
+  }
+}
diff --git a/apollo-portal/src/test/java/com/ctrip/framework/apollo/portal/service/AppServiceTest.java b/apollo-portal/src/test/java/com/ctrip/framework/apollo/portal/service/AppServiceTest.java
index 099454d671f..d4168892dd1 100644
--- a/apollo-portal/src/test/java/com/ctrip/framework/apollo/portal/service/AppServiceTest.java
+++ b/apollo-portal/src/test/java/com/ctrip/framework/apollo/portal/service/AppServiceTest.java
@@ -23,6 +23,7 @@
 import com.ctrip.framework.apollo.common.entity.App;
 import com.ctrip.framework.apollo.common.exception.BadRequestException;
 import com.ctrip.framework.apollo.portal.api.AdminServiceAPI;
+import com.ctrip.framework.apollo.portal.component.PortalSettings;
 import com.ctrip.framework.apollo.portal.entity.bo.UserInfo;
 import com.ctrip.framework.apollo.portal.repository.AppRepository;
 import com.ctrip.framework.apollo.portal.spi.UserInfoHolder;
@@ -77,6 +78,8 @@ class AppServiceTest {
   ApplicationEventPublisher publisher;
   @MockBean
   ApolloAuditLogApi apolloAuditLogApi;
+  @MockBean
+  PortalSettings portalSettings;
 
   @BeforeEach
   void beforeEach() {
diff --git a/apollo-portal/src/test/java/com/ctrip/framework/apollo/portal/spi/defaultImpl/RoleInitializationServiceTest.java b/apollo-portal/src/test/java/com/ctrip/framework/apollo/portal/spi/defaultImpl/RoleInitializationServiceTest.java
index e81ae95e158..ffaa98e292c 100644
--- a/apollo-portal/src/test/java/com/ctrip/framework/apollo/portal/spi/defaultImpl/RoleInitializationServiceTest.java
+++ b/apollo-portal/src/test/java/com/ctrip/framework/apollo/portal/spi/defaultImpl/RoleInitializationServiceTest.java
@@ -42,6 +42,7 @@ public class RoleInitializationServiceTest extends AbstractUnitTest {
 
   private final String APP_ID = "1000";
   private final String APP_NAME = "app-test";
+  private final String ENV = "DEV";
   private final String CLUSTER = "cluster-test";
   private final String NAMESPACE = "namespace-test";
   private final String CURRENT_USER = "user";
@@ -144,6 +145,87 @@ public void testInitNamespaceRoleModifyNSExisted(){
     verify(rolePermissionService, times(1)).createRoleWithPermissions(any(), anySet());
   }
 
+  @Test
+  public void testInitClusterNsRole() {
+
+      String modifyNamespacesInClusterRoleName = RoleUtils.buildModifyNamespacesInClusterRoleName(APP_ID, ENV, CLUSTER);
+      when(rolePermissionService.findRoleByRoleName(modifyNamespacesInClusterRoleName)).
+          thenReturn(null);
+
+      String releaseNamespacesInClusterRoleName = RoleUtils.buildReleaseNamespacesInClusterRoleName(APP_ID, ENV, CLUSTER);
+      when(rolePermissionService.findRoleByRoleName(releaseNamespacesInClusterRoleName)).
+          thenReturn(null);
+
+      when(userInfoHolder.getUser()).thenReturn(mockUser());
+      when(rolePermissionService.createPermission(any())).thenReturn(mockPermission());
+
+      roleInitializationService.initClusterNamespaceRoles(APP_ID, ENV, CLUSTER, CURRENT_USER);
+
+      verify(rolePermissionService, times(2)).findRoleByRoleName(anyString());
+      verify(rolePermissionService, times(2)).createPermission(any());
+      verify(rolePermissionService, times(2)).createRoleWithPermissions(any(), anySet());
+  }
+
+  @Test
+  public void testInitClusterNsRoleHasExisted() {
+
+      String modifyNamespacesInClusterRoleName = RoleUtils.buildModifyNamespacesInClusterRoleName(APP_ID, ENV, CLUSTER);
+      when(rolePermissionService.findRoleByRoleName(modifyNamespacesInClusterRoleName)).
+          thenReturn(mockRole(modifyNamespacesInClusterRoleName));
+
+      String releaseNamespacesInClusterRoleName = RoleUtils.buildReleaseNamespacesInClusterRoleName(APP_ID, ENV, CLUSTER);
+      when(rolePermissionService.findRoleByRoleName(releaseNamespacesInClusterRoleName)).
+          thenReturn(mockRole(releaseNamespacesInClusterRoleName));
+
+      roleInitializationService.initClusterNamespaceRoles(APP_ID, ENV, CLUSTER, CURRENT_USER);
+
+      verify(rolePermissionService, times(2)).findRoleByRoleName(anyString());
+      verify(rolePermissionService, times(0)).createPermission(any());
+      verify(rolePermissionService, times(0)).createRoleWithPermissions(any(), anySet());
+  }
+
+  @Test
+  public void testInitClusterNsRoleModifyNamespacesInClusterExisted() {
+
+      String modifyNamespacesInClusterRoleName = RoleUtils.buildModifyNamespacesInClusterRoleName(APP_ID, ENV, CLUSTER);
+      when(rolePermissionService.findRoleByRoleName(modifyNamespacesInClusterRoleName)).
+          thenReturn(mockRole(modifyNamespacesInClusterRoleName));
+
+      String releaseNamespacesInClusterRoleName = RoleUtils.buildReleaseNamespacesInClusterRoleName(APP_ID, ENV, CLUSTER);
+      when(rolePermissionService.findRoleByRoleName(releaseNamespacesInClusterRoleName)).
+          thenReturn(null);
+
+      when(userInfoHolder.getUser()).thenReturn(mockUser());
+      when(rolePermissionService.createPermission(any())).thenReturn(mockPermission());
+
+      roleInitializationService.initClusterNamespaceRoles(APP_ID, ENV, CLUSTER, CURRENT_USER);
+
+      verify(rolePermissionService, times(2)).findRoleByRoleName(anyString());
+      verify(rolePermissionService, times(1)).createPermission(any());
+      verify(rolePermissionService, times(1)).createRoleWithPermissions(any(), anySet());
+  }
+
+  @Test
+  public void testInitClusterNsRoleReleaseNamespacesInClusterExisted() {
+
+      String modifyNamespacesInClusterRoleName = RoleUtils.buildModifyNamespacesInClusterRoleName(APP_ID, ENV, CLUSTER);
+      when(rolePermissionService.findRoleByRoleName(modifyNamespacesInClusterRoleName)).
+          thenReturn(null);
+
+      String releaseNamespacesInClusterRoleName = RoleUtils.buildReleaseNamespacesInClusterRoleName(APP_ID, ENV, CLUSTER);
+      when(rolePermissionService.findRoleByRoleName(releaseNamespacesInClusterRoleName)).
+          thenReturn(mockRole(releaseNamespacesInClusterRoleName));
+
+      when(userInfoHolder.getUser()).thenReturn(mockUser());
+      when(rolePermissionService.createPermission(any())).thenReturn(mockPermission());
+
+      roleInitializationService.initClusterNamespaceRoles(APP_ID, ENV, CLUSTER, CURRENT_USER);
+
+      verify(rolePermissionService, times(2)).findRoleByRoleName(anyString());
+      verify(rolePermissionService, times(1)).createPermission(any());
+      verify(rolePermissionService, times(1)).createRoleWithPermissions(any(), anySet());
+  }
+
   private App mockApp(){
     App app = new App();
     app.setAppId(APP_ID);
diff --git a/doc/images/manage_cluster_entry.png b/doc/images/manage_cluster_entry.png
new file mode 100644
index 00000000000..96b4788404d
Binary files /dev/null and b/doc/images/manage_cluster_entry.png differ
diff --git a/doc/images/ns-permission-app-allns-entry.png b/doc/images/ns-permission-app-allns-entry.png
new file mode 100644
index 00000000000..d62724786b1
Binary files /dev/null and b/doc/images/ns-permission-app-allns-entry.png differ
diff --git a/doc/images/ns-permission-app-allns-select.png b/doc/images/ns-permission-app-allns-select.png
new file mode 100644
index 00000000000..f816b6e80d4
Binary files /dev/null and b/doc/images/ns-permission-app-allns-select.png differ
diff --git a/doc/images/ns-permission-app-env-cluster-edit.png b/doc/images/ns-permission-app-env-cluster-edit.png
new file mode 100644
index 00000000000..806b60f6c15
Binary files /dev/null and b/doc/images/ns-permission-app-env-cluster-edit.png differ
diff --git a/doc/images/ns-permission-app-env-cluster-entry.png b/doc/images/ns-permission-app-env-cluster-entry.png
new file mode 100644
index 00000000000..1a92f87eddb
Binary files /dev/null and b/doc/images/ns-permission-app-env-cluster-entry.png differ
diff --git a/doc/images/ns-permission-app-env-ns-select.png b/doc/images/ns-permission-app-env-ns-select.png
new file mode 100644
index 00000000000..38f195585ed
Binary files /dev/null and b/doc/images/ns-permission-app-env-ns-select.png differ
diff --git a/docs/en/portal/apollo-user-guide.md b/docs/en/portal/apollo-user-guide.md
index c3890696c0c..e4674c1c565 100644
--- a/docs/en/portal/apollo-user-guide.md
+++ b/docs/en/portal/apollo-user-guide.md
@@ -76,6 +76,72 @@ After the project is created, there are no editing and publishing permissions as
 3. Assign publish privileges
    * ![namespace-publish-permission](https://cdn.jsdelivr.net/gh/apolloconfig/apollo@master/doc/images/namespace-publish-permission.png)
 
+### 1.2.3 Configuring permissions for different dimensions
+
+Regarding Apollo's configuration permissions, the permissions were bound to the namespace during the initial design. Because Apollo's permission management itself is relatively flexible, it can be expanded on this basis.
+Design of main entity classes based on Apollo [E-R Diagram](/docs/en/design/apollo-design.md?id=_14-e-r-diagram)，
+We can think of Namespace as the smallest unit of permissions, and App as the largest unit of permissions.
+In the middle are Env and Cluster, so we can manage permissions in different dimensions.
+
+| App | Env | Cluster | Namespace | Model | Impl |
+| --- | --- | --- | --- | --- |------|
+| ☑️ |  |  |  | App → * | no   |
+| ☑️ |  |  | ☑️ | App → Namespace | yes  |
+| ☑️ | ☑️ |  |  | App + Env → * | no   |
+| ☑️ | ☑️ |  | ☑️ | App + Env → Namespace | yes  |
+| ☑️ | ☑️ | ☑️ |  | App + Env + Cluster → * | yes  |
+| ☑️ | ☑️ | ☑️ | ☑️ | App + Env + Cluster → Namespace | no    |
+
+Explanation of different permission models：
+
+| Model | Target | PermissionType (e.g. Modify) | TargetId |
+| --- | --- | --- | --- |
+| App → * | All namespaces of App |  |  |
+| App → Namespace | All namespaces with specified names under App | ModifyNamespace | App+Namespace |
+| App + Env → * | All namespaces under App's env |  |  |
+| App + Env → Namespace | All namespaces with specified names under App's env | ModifyNamespace | App+Namespace+Env |
+| App + Env + Cluster → * | All namespaces of the cluster in App's env | ModifyNamespaceInCluster | App+Env+ClusterName |
+| App + Env + Cluster → Namespace | The namespace with the specified name under the cluster in App's env |  |  |
+
+#### 1.2.3.1 All namespaces of App
+
+1. Click the authorization button of the application
+   * ![ns-permission-app-allns-entry](https://cdn.jsdelivr.net/gh/apolloconfig/apollo@master/doc/images/ns-permission-app-allns-entry.png)
+
+2. Select "All environments"
+   * ![ns-permission-app-allns-select](https://cdn.jsdelivr.net/gh/apolloconfig/apollo@master/doc/images/ns-permission-app-allns-select.png)
+
+3. Assign the modify permission
+   * ![namespace-permission-edit](https://cdn.jsdelivr.net/gh/apolloconfig/apollo@master/doc/images/namespace-permission-edit.png)
+
+4. Assign publish privileges
+   * ![namespace-publish-permission](https://cdn.jsdelivr.net/gh/apolloconfig/apollo@master/doc/images/namespace-publish-permission.png)
+
+#### 1.2.3.2 All namespaces of App's env
+
+1. Click the authorization button of the application
+   * ![ns-permission-app-env-allns-entry](https://cdn.jsdelivr.net/gh/apolloconfig/apollo@master/doc/images/ns-permission-app-env-allns-entry.png)
+
+2. Select the env
+   * ![ns-permission-app-env-ns-select](https://cdn.jsdelivr.net/gh/apolloconfig/apollo@master/doc/images/ns-permission-app-env-ns-select.png)
+
+3. Assign the modify permission
+   * ![namespace-permission-edit](https://cdn.jsdelivr.net/gh/apolloconfig/apollo@master/doc/images/namespace-permission-edit.png)
+
+4. Assign publish privileges
+   * ![namespace-publish-permission](https://cdn.jsdelivr.net/gh/apolloconfig/apollo@master/doc/images/namespace-publish-permission.png)
+
+#### 1.2.3.3 All namespaces of the cluster in App's env
+
+1. Click "Manage Cluster" to enter the management cluster page
+   * ![manage-cluster-entry](https://cdn.jsdelivr.net/gh/apolloconfig/apollo@master/doc/images/manage-cluster-entry.png)
+
+2. Click the authorization button of the Cluster you want to manage
+   * ![ns-permission-app-env-cluster-entry](https://cdn.jsdelivr.net/gh/apolloconfig/apollo@master/doc/images/ns-permission-app-env-cluster-entry.png)
+
+3. Edit permissions
+   * ![ns-permission-app-env-cluster-edit](https://cdn.jsdelivr.net/gh/apolloconfig/apollo@master/doc/images/ns-permission-app-env-cluster-edit.png)
+
 ## 1.3 Adding configuration items
 
 To edit the configuration, you need to have the edit permission of this Namespace. If you find that there is no Add Configuration button, you can find the project administrator to authorize it.
diff --git a/docs/zh/portal/apollo-user-guide.md b/docs/zh/portal/apollo-user-guide.md
index d4616240830..c09b3266706 100644
--- a/docs/zh/portal/apollo-user-guide.md
+++ b/docs/zh/portal/apollo-user-guide.md
@@ -70,6 +70,73 @@
 3. 分配发布权限
     * ![namespace-publish-permission](https://cdn.jsdelivr.net/gh/apolloconfig/apollo@master/doc/images/namespace-publish-permission.png)
 
+### 1.2.3 不同维度的权限管理
+
+对于Apollo的配置权限，在初始设计时把权限绑定在了 namespace 上，因为 apollo 的权限管理本身是比较灵活的，所以可以在这个基础之上进行扩展。
+
+基于 Apollo 的主要实体类的设计 [E-R Diagram](/docs/zh/design/apollo-design.md?id=_14-e-r-diagram)，
+我们可以认为 Namespace 是一个权限的最小单元，而 App 是一个权限的最大单元。
+中间依次是 Env、Cluster，所以我们可以对不同维度的权限进行管理。
+
+| App | Env | Cluster | Namespace | Model | Impl |
+| --- | --- | --- | --- | --- |------|
+| ☑️ |  |  |  | App → * | 未实现  |
+| ☑️ |  |  | ☑️ | App → Namespace | 已实现  |
+| ☑️ | ☑️ |  |  | App + Env → * | 未实现  |
+| ☑️ | ☑️ |  | ☑️ | App + Env → Namespace | 已实现  |
+| ☑️ | ☑️ | ☑️ |  | App + Env + Cluster → * | 已实现  |
+| ☑️ | ☑️ | ☑️ | ☑️ | App + Env + Cluster → Namespace | 未实现  |
+
+对不同权限模型的释义：
+
+| Model | Target | PermissionType (e.g. Modify) | TargetId |
+| --- | --- | --- | --- |
+| App → * | App的所有namespace |  |  |
+| App → Namespace | App下的所有指定名字的namespace | ModifyNamespace | App+Namespace |
+| App + Env → * | App的env下所有namespace |  |  |
+| App + Env → Namespace | App的env下所有指定名字的namespace | ModifyNamespace | App+Namespace+Env |
+| App + Env + Cluster → * | App的env中cluster的所有namespace | ModifyNamespaceInCluster | App+Env+ClusterName |
+| App + Env + Cluster → Namespace | App的env中cluster下指定名字的namespace |  |  |
+
+#### 1.2.3.1 App下的所有指定名字的namespace
+
+1. 点击application这个namespace的授权按钮
+    * ![ns-permission-app-allns-entry](https://cdn.jsdelivr.net/gh/apolloconfig/apollo@master/doc/images/ns-permission-app-allns-entry.png)
+    
+2. 选择“所有环境”
+    * ![ns-permission-app-allns-select](https://cdn.jsdelivr.net/gh/apolloconfig/apollo@master/doc/images/ns-permission-app-allns-select.png)
+
+3. 分配修改权限
+    * ![namespace-permission-edit](https://cdn.jsdelivr.net/gh/apolloconfig/apollo@master/doc/images/namespace-permission-edit.png)
+
+4. 分配发布权限
+    * ![namespace-publish-permission](https://cdn.jsdelivr.net/gh/apolloconfig/apollo@master/doc/images/namespace-publish-permission.png)
+
+#### 1.2.3.2 App的env下所有指定名字的namespace
+
+1. 点击application这个namespace的授权按钮
+    * ![ns-permission-app-env-allns-entry](https://cdn.jsdelivr.net/gh/apolloconfig/apollo@master/doc/images/ns-permission-app-env-allns-entry.png)
+
+2. 选择环境
+    * ![ns-permission-app-env-ns-select](https://cdn.jsdelivr.net/gh/apolloconfig/apollo@master/doc/images/ns-permission-app-env-ns-select.png)
+
+3. 分配修改权限
+    * ![namespace-permission-edit](https://cdn.jsdelivr.net/gh/apolloconfig/apollo@master/doc/images/namespace-permission-edit.png)
+
+4. 分配发布权限
+    * ![namespace-publish-permission](https://cdn.jsdelivr.net/gh/apolloconfig/apollo@master/doc/images/namespace-publish-permission.png)
+
+#### 1.2.3.3 App的env中cluster的所有namespace
+
+1. 点击“管理集群”进取管理集群页面
+    * ![manage-cluster-entry](https://cdn.jsdelivr.net/gh/apolloconfig/apollo@master/doc/images/manage-cluster-entry.png)
+
+2. 点击想管理的Cluster的授权按钮
+    * ![ns-permission-app-env-cluster-entry](https://cdn.jsdelivr.net/gh/apolloconfig/apollo@master/doc/images/ns-permission-app-env-cluster-entry.png)
+
+3. 编辑权限
+    * ![ns-permission-app-env-cluster-edit](https://cdn.jsdelivr.net/gh/apolloconfig/apollo@master/doc/images/ns-permission-app-env-cluster-edit.png)
+
 ## 1.3 添加配置项
 编辑配置需要拥有这个Namespace的编辑权限，如果发现没有新增配置按钮，可以找项目管理员授权。