diff --git a/aspnet-core/LINGYUN.MicroService.All.sln b/aspnet-core/LINGYUN.MicroService.All.sln
index 3bda2e147..9ca58ff3b 100644
--- a/aspnet-core/LINGYUN.MicroService.All.sln
+++ b/aspnet-core/LINGYUN.MicroService.All.sln
@@ -182,10 +182,6 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "LINGYUN.Abp.Auditing.HttpAp
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "permission-management", "permission-management", "{CC362C67-6FC1-42B3-A130-8120AA8D790C}"
 EndProject
-Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "LINGYUN.Abp.PermissionManagement.Domain", "modules\permissions-management\LINGYUN.Abp.PermissionManagement.Domain\LINGYUN.Abp.PermissionManagement.Domain.csproj", "{B46D6DAF-98C6-441F-9FA5-3CAD7CF27727}"
-EndProject
-Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "LINGYUN.Abp.PermissionManagement.Domain.Identity", "modules\identity\LINGYUN.Abp.PermissionManagement.Domain.Identity\LINGYUN.Abp.PermissionManagement.Domain.Identity.csproj", "{2D377D3A-70EC-4BB3-9F4C-6C933693DA98}"
-EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "wechat", "wechat", "{DD9BE9E7-F6BF-4869-BCD2-82F5072BDA21}"
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "LINGYUN.Abp.WeChat", "modules\wechat\LINGYUN.Abp.WeChat\LINGYUN.Abp.WeChat.csproj", "{BAE74ABC-1096-495F-A624-BEBFBC1896F2}"
@@ -398,6 +394,14 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "webhooks", "webhooks", "{13
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "LINGYUN.Abp.WebHooks", "modules\webhooks\LINGYUN.Abp.WebHooks\LINGYUN.Abp.WebHooks.csproj", "{91AE01B1-CC82-40E2-8290-B8A84C6E90D1}"
 EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "authorization", "authorization", "{9EC33D45-CCC7-41DF-829E-6B89A640FE35}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "LINGYUN.Abp.Authorization.OrganizationUnits", "modules\authorization\LINGYUN.Abp.Authorization.OrganizationUnits\LINGYUN.Abp.Authorization.OrganizationUnits.csproj", "{902D822A-52B6-481C-96C5-ECD891FF83FC}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "LINGYUN.Abp.PermissionManagement.Domain.OrganizationUnits", "modules\permissions-management\LINGYUN.Abp.PermissionManagement.Domain.OrganizationUnits\LINGYUN.Abp.PermissionManagement.Domain.OrganizationUnits.csproj", "{46244C99-3A0D-4D88-9F24-2B7B586ADBA4}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "LINGYUN.Abp.Identity.OrganizaztionUnits", "modules\authorization\LINGYUN.Abp.Identity.OrganizaztionUnits\LINGYUN.Abp.Identity.OrganizaztionUnits.csproj", "{76A5564E-033B-4AA6-A22B-78B6EB134CC6}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -676,14 +680,6 @@ Global
 		{07E19CA8-671D-4D58-9FED-5FEE9AE01A2F}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{07E19CA8-671D-4D58-9FED-5FEE9AE01A2F}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{07E19CA8-671D-4D58-9FED-5FEE9AE01A2F}.Release|Any CPU.Build.0 = Release|Any CPU
-		{B46D6DAF-98C6-441F-9FA5-3CAD7CF27727}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{B46D6DAF-98C6-441F-9FA5-3CAD7CF27727}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{B46D6DAF-98C6-441F-9FA5-3CAD7CF27727}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{B46D6DAF-98C6-441F-9FA5-3CAD7CF27727}.Release|Any CPU.Build.0 = Release|Any CPU
-		{2D377D3A-70EC-4BB3-9F4C-6C933693DA98}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{2D377D3A-70EC-4BB3-9F4C-6C933693DA98}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{2D377D3A-70EC-4BB3-9F4C-6C933693DA98}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{2D377D3A-70EC-4BB3-9F4C-6C933693DA98}.Release|Any CPU.Build.0 = Release|Any CPU
 		{BAE74ABC-1096-495F-A624-BEBFBC1896F2}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{BAE74ABC-1096-495F-A624-BEBFBC1896F2}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{BAE74ABC-1096-495F-A624-BEBFBC1896F2}.Release|Any CPU.ActiveCfg = Release|Any CPU
@@ -1028,6 +1024,18 @@ Global
 		{91AE01B1-CC82-40E2-8290-B8A84C6E90D1}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{91AE01B1-CC82-40E2-8290-B8A84C6E90D1}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{91AE01B1-CC82-40E2-8290-B8A84C6E90D1}.Release|Any CPU.Build.0 = Release|Any CPU
+		{902D822A-52B6-481C-96C5-ECD891FF83FC}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{902D822A-52B6-481C-96C5-ECD891FF83FC}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{902D822A-52B6-481C-96C5-ECD891FF83FC}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{902D822A-52B6-481C-96C5-ECD891FF83FC}.Release|Any CPU.Build.0 = Release|Any CPU
+		{46244C99-3A0D-4D88-9F24-2B7B586ADBA4}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{46244C99-3A0D-4D88-9F24-2B7B586ADBA4}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{46244C99-3A0D-4D88-9F24-2B7B586ADBA4}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{46244C99-3A0D-4D88-9F24-2B7B586ADBA4}.Release|Any CPU.Build.0 = Release|Any CPU
+		{76A5564E-033B-4AA6-A22B-78B6EB134CC6}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{76A5564E-033B-4AA6-A22B-78B6EB134CC6}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{76A5564E-033B-4AA6-A22B-78B6EB134CC6}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{76A5564E-033B-4AA6-A22B-78B6EB134CC6}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -1118,8 +1126,6 @@ Global
 		{AC3C8985-73C2-472A-8E76-A0B8786FEC3F} = {67DAB2A0-D407-4CAB-8414-AE3D0AC52FC4}
 		{07E19CA8-671D-4D58-9FED-5FEE9AE01A2F} = {67DAB2A0-D407-4CAB-8414-AE3D0AC52FC4}
 		{CC362C67-6FC1-42B3-A130-8120AA8D790C} = {C5CAD011-DF84-4914-939C-0C029DCEF26F}
-		{B46D6DAF-98C6-441F-9FA5-3CAD7CF27727} = {CC362C67-6FC1-42B3-A130-8120AA8D790C}
-		{2D377D3A-70EC-4BB3-9F4C-6C933693DA98} = {52B5D4F7-237B-4E0A-A167-68442164F70A}
 		{DD9BE9E7-F6BF-4869-BCD2-82F5072BDA21} = {C5CAD011-DF84-4914-939C-0C029DCEF26F}
 		{BAE74ABC-1096-495F-A624-BEBFBC1896F2} = {DD9BE9E7-F6BF-4869-BCD2-82F5072BDA21}
 		{E92A1CAA-5758-41EF-B67E-C0D394E85417} = {52B5D4F7-237B-4E0A-A167-68442164F70A}
@@ -1222,6 +1228,10 @@ Global
 		{F57594AA-10C2-4DFF-87F6-19F2548099EA} = {A5543E56-DA53-494D-A531-DA75091D46FF}
 		{13ACF670-F109-404E-B252-2FA34A4EA061} = {C5CAD011-DF84-4914-939C-0C029DCEF26F}
 		{91AE01B1-CC82-40E2-8290-B8A84C6E90D1} = {13ACF670-F109-404E-B252-2FA34A4EA061}
+		{9EC33D45-CCC7-41DF-829E-6B89A640FE35} = {C5CAD011-DF84-4914-939C-0C029DCEF26F}
+		{902D822A-52B6-481C-96C5-ECD891FF83FC} = {9EC33D45-CCC7-41DF-829E-6B89A640FE35}
+		{46244C99-3A0D-4D88-9F24-2B7B586ADBA4} = {CC362C67-6FC1-42B3-A130-8120AA8D790C}
+		{76A5564E-033B-4AA6-A22B-78B6EB134CC6} = {9EC33D45-CCC7-41DF-829E-6B89A640FE35}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {C95FDF91-16F2-4A8B-A4BE-0E62D1B66718}
diff --git a/aspnet-core/LINGYUN.MicroService.Common.sln b/aspnet-core/LINGYUN.MicroService.Common.sln
index edeb3b22c..6bad06cfe 100644
--- a/aspnet-core/LINGYUN.MicroService.Common.sln
+++ b/aspnet-core/LINGYUN.MicroService.Common.sln
@@ -230,6 +230,12 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "webhooks", "webhooks", "{BD
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "LINGYUN.Abp.WebHooks", "modules\webhooks\LINGYUN.Abp.WebHooks\LINGYUN.Abp.WebHooks.csproj", "{AFE75D2B-8853-488B-B5D5-277B58C5DBB2}"
 EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "authorization", "authorization", "{3971AD93-BF97-4E05-972D-CB5EB9F6CB88}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "LINGYUN.Abp.Authorization.OrganizationUnits", "modules\authorization\LINGYUN.Abp.Authorization.OrganizationUnits\LINGYUN.Abp.Authorization.OrganizationUnits.csproj", "{D9339CBB-45B9-4701-B2AC-2A75FF20D77B}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "LINGYUN.Abp.Identity.OrganizaztionUnits", "modules\authorization\LINGYUN.Abp.Identity.OrganizaztionUnits\LINGYUN.Abp.Identity.OrganizaztionUnits.csproj", "{474AA48F-65F9-436B-A0B1-1E95BD16CA8D}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -588,6 +594,14 @@ Global
 		{AFE75D2B-8853-488B-B5D5-277B58C5DBB2}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{AFE75D2B-8853-488B-B5D5-277B58C5DBB2}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{AFE75D2B-8853-488B-B5D5-277B58C5DBB2}.Release|Any CPU.Build.0 = Release|Any CPU
+		{D9339CBB-45B9-4701-B2AC-2A75FF20D77B}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{D9339CBB-45B9-4701-B2AC-2A75FF20D77B}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{D9339CBB-45B9-4701-B2AC-2A75FF20D77B}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{D9339CBB-45B9-4701-B2AC-2A75FF20D77B}.Release|Any CPU.Build.0 = Release|Any CPU
+		{474AA48F-65F9-436B-A0B1-1E95BD16CA8D}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{474AA48F-65F9-436B-A0B1-1E95BD16CA8D}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{474AA48F-65F9-436B-A0B1-1E95BD16CA8D}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{474AA48F-65F9-436B-A0B1-1E95BD16CA8D}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -702,6 +716,9 @@ Global
 		{3FF4CEA0-1555-4D62-AA81-B3B599253F8D} = {38E21687-5F19-42C9-9D11-4B1D2EF64EDB}
 		{BD97C98B-0B4B-443D-AB29-145A344F46D3} = {02EA4E78-5891-43BC-944F-3E52FEE032E4}
 		{AFE75D2B-8853-488B-B5D5-277B58C5DBB2} = {BD97C98B-0B4B-443D-AB29-145A344F46D3}
+		{3971AD93-BF97-4E05-972D-CB5EB9F6CB88} = {02EA4E78-5891-43BC-944F-3E52FEE032E4}
+		{D9339CBB-45B9-4701-B2AC-2A75FF20D77B} = {3971AD93-BF97-4E05-972D-CB5EB9F6CB88}
+		{474AA48F-65F9-436B-A0B1-1E95BD16CA8D} = {3971AD93-BF97-4E05-972D-CB5EB9F6CB88}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {06C707C6-02C0-411A-AD3B-2D0E13787CB8}
diff --git a/aspnet-core/modules/authorization/LINGYUN.Abp.Authorization.OrganizationUnits/FodyWeavers.xml b/aspnet-core/modules/authorization/LINGYUN.Abp.Authorization.OrganizationUnits/FodyWeavers.xml
new file mode 100644
index 000000000..1715698cc
--- /dev/null
+++ b/aspnet-core/modules/authorization/LINGYUN.Abp.Authorization.OrganizationUnits/FodyWeavers.xml
@@ -0,0 +1,3 @@
+<Weavers xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="FodyWeavers.xsd">
+  <ConfigureAwait ContinueOnCapturedContext="false" />
+</Weavers>
\ No newline at end of file
diff --git a/aspnet-core/modules/authorization/LINGYUN.Abp.Authorization.OrganizationUnits/FodyWeavers.xsd b/aspnet-core/modules/authorization/LINGYUN.Abp.Authorization.OrganizationUnits/FodyWeavers.xsd
new file mode 100644
index 000000000..11da52550
--- /dev/null
+++ b/aspnet-core/modules/authorization/LINGYUN.Abp.Authorization.OrganizationUnits/FodyWeavers.xsd
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
+  <!-- This file was generated by Fody. Manual changes to this file will be lost when your project is rebuilt. -->
+  <xs:element name="Weavers">
+    <xs:complexType>
+      <xs:all>
+        <xs:element name="ConfigureAwait" minOccurs="0" maxOccurs="1">
+          <xs:complexType>
+            <xs:attribute name="ContinueOnCapturedContext" type="xs:boolean" />
+          </xs:complexType>
+        </xs:element>
+      </xs:all>
+      <xs:attribute name="VerifyAssembly" type="xs:boolean">
+        <xs:annotation>
+          <xs:documentation>'true' to run assembly verification (PEVerify) on the target assembly after all weavers have been executed.</xs:documentation>
+        </xs:annotation>
+      </xs:attribute>
+      <xs:attribute name="VerifyIgnoreCodes" type="xs:string">
+        <xs:annotation>
+          <xs:documentation>A comma-separated list of error codes that can be safely ignored in assembly verification.</xs:documentation>
+        </xs:annotation>
+      </xs:attribute>
+      <xs:attribute name="GenerateXsd" type="xs:boolean">
+        <xs:annotation>
+          <xs:documentation>'false' to turn off automatic generation of the XML Schema file.</xs:documentation>
+        </xs:annotation>
+      </xs:attribute>
+    </xs:complexType>
+  </xs:element>
+</xs:schema>
\ No newline at end of file
diff --git a/aspnet-core/modules/authorization/LINGYUN.Abp.Authorization.OrganizationUnits/LINGYUN.Abp.Authorization.OrganizationUnits.csproj b/aspnet-core/modules/authorization/LINGYUN.Abp.Authorization.OrganizationUnits/LINGYUN.Abp.Authorization.OrganizationUnits.csproj
new file mode 100644
index 000000000..294fa3d45
--- /dev/null
+++ b/aspnet-core/modules/authorization/LINGYUN.Abp.Authorization.OrganizationUnits/LINGYUN.Abp.Authorization.OrganizationUnits.csproj
@@ -0,0 +1,15 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+	<Import Project="..\..\..\configureawait.props" />
+	<Import Project="..\..\..\common.props" />
+
+	<PropertyGroup>
+		<TargetFramework>netstandard2.0</TargetFramework>
+		<RootNamespace />
+	</PropertyGroup>
+
+	<ItemGroup>
+		<PackageReference Include="Volo.Abp.Authorization" Version="$(VoloAbpPackageVersion)" />
+	</ItemGroup>
+
+</Project>
diff --git a/aspnet-core/modules/authorization/LINGYUN.Abp.Authorization.OrganizationUnits/LINGYUN/Abp/Authorization/OrganizationUnits/AbpAuthorizationOrganizationUnitsModule.cs b/aspnet-core/modules/authorization/LINGYUN.Abp.Authorization.OrganizationUnits/LINGYUN/Abp/Authorization/OrganizationUnits/AbpAuthorizationOrganizationUnitsModule.cs
new file mode 100644
index 000000000..df54a83aa
--- /dev/null
+++ b/aspnet-core/modules/authorization/LINGYUN.Abp.Authorization.OrganizationUnits/LINGYUN/Abp/Authorization/OrganizationUnits/AbpAuthorizationOrganizationUnitsModule.cs
@@ -0,0 +1,18 @@
+using LINGYUN.Abp.Authorization.Permissions;
+using Volo.Abp.Authorization;
+using Volo.Abp.Authorization.Permissions;
+using Volo.Abp.Modularity;
+
+namespace LINGYUN.Abp.Authorization.OrganizationUnits;
+
+[DependsOn(typeof(AbpAuthorizationModule))]
+public class AbpAuthorizationOrganizationUnitsModule : AbpModule
+{
+    public override void ConfigureServices(ServiceConfigurationContext context)
+    {
+        Configure<AbpPermissionOptions>(options =>
+        {
+            options.ValueProviders.Add<OrganizationUnitPermissionValueProvider>();
+        });
+    }
+}
diff --git a/aspnet-core/modules/authorization/LINGYUN.Abp.Authorization.OrganizationUnits/LINGYUN/Abp/Authorization/OrganizationUnits/AbpOrganizationUnitClaimTypes.cs b/aspnet-core/modules/authorization/LINGYUN.Abp.Authorization.OrganizationUnits/LINGYUN/Abp/Authorization/OrganizationUnits/AbpOrganizationUnitClaimTypes.cs
new file mode 100644
index 000000000..5f552dd8e
--- /dev/null
+++ b/aspnet-core/modules/authorization/LINGYUN.Abp.Authorization.OrganizationUnits/LINGYUN/Abp/Authorization/OrganizationUnits/AbpOrganizationUnitClaimTypes.cs
@@ -0,0 +1,6 @@
+namespace LINGYUN.Abp.Authorization.OrganizationUnits;
+
+public static class AbpOrganizationUnitClaimTypes
+{
+    public static string OrganizationUnit { get; set; } = "organization_unit";
+}
diff --git a/aspnet-core/modules/authorization/LINGYUN.Abp.Authorization.OrganizationUnits/LINGYUN/Abp/Authorization/Permissions/OrganizationUnitPermissionValueProvider.cs b/aspnet-core/modules/authorization/LINGYUN.Abp.Authorization.OrganizationUnits/LINGYUN/Abp/Authorization/Permissions/OrganizationUnitPermissionValueProvider.cs
new file mode 100644
index 000000000..bc011515c
--- /dev/null
+++ b/aspnet-core/modules/authorization/LINGYUN.Abp.Authorization.OrganizationUnits/LINGYUN/Abp/Authorization/Permissions/OrganizationUnitPermissionValueProvider.cs
@@ -0,0 +1,82 @@
+using LINGYUN.Abp.Authorization.OrganizationUnits;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+using Volo.Abp;
+using Volo.Abp.Authorization.Permissions;
+
+namespace LINGYUN.Abp.Authorization.Permissions;
+
+public class OrganizationUnitPermissionValueProvider : PermissionValueProvider
+{
+    public const string ProviderName = "O";
+
+    public override string Name => ProviderName;
+
+    public OrganizationUnitPermissionValueProvider(
+        IPermissionStore permissionStore)
+        : base(permissionStore)
+    {
+    }
+
+    public async override Task<PermissionGrantResult> CheckAsync(PermissionValueCheckContext context)
+    {
+        var organizationUnits = context.Principal?.FindAll(AbpOrganizationUnitClaimTypes.OrganizationUnit).Select(c => c.Value).ToArray();
+
+        if (organizationUnits == null || !organizationUnits.Any())
+        {
+            return PermissionGrantResult.Undefined;
+        }
+
+        foreach (var organizationUnit in organizationUnits.Distinct())
+        {
+            if (await PermissionStore.IsGrantedAsync(context.Permission.Name, Name, organizationUnit))
+            {
+                return PermissionGrantResult.Granted;
+            }
+        }
+
+        return PermissionGrantResult.Undefined;
+    }
+
+    public async override Task<MultiplePermissionGrantResult> CheckAsync(PermissionValuesCheckContext context)
+    {
+        var permissionNames = context.Permissions.Select(x => x.Name).Distinct().ToList();
+        Check.NotNullOrEmpty(permissionNames, nameof(permissionNames));
+
+        var result = new MultiplePermissionGrantResult(permissionNames.ToArray());
+
+        var organizationUnits = context.Principal?.FindAll(AbpOrganizationUnitClaimTypes.OrganizationUnit).Select(c => c.Value).ToArray();
+        if (organizationUnits == null || !organizationUnits.Any())
+        {
+            return result;
+        }
+
+        foreach (var organizationUnit in organizationUnits.Distinct())
+        {
+            var multipleResult = await PermissionStore.IsGrantedAsync(permissionNames.ToArray(), Name, organizationUnit);
+              
+            foreach (var grantResult in multipleResult.Result.Where(grantResult =>
+                result.Result.ContainsKey(grantResult.Key) &&
+                result.Result[grantResult.Key] == PermissionGrantResult.Undefined &&
+                grantResult.Value != PermissionGrantResult.Undefined))
+            {
+                result.Result[grantResult.Key] = grantResult.Value;
+                permissionNames.RemoveAll(x => x == grantResult.Key);
+            }
+
+            if (result.AllGranted || result.AllProhibited)
+            {
+                break;
+            }
+
+            if (permissionNames.IsNullOrEmpty())
+            {
+                break;
+            }
+        }
+
+        return result;
+    }
+}
diff --git a/aspnet-core/modules/authorization/LINGYUN.Abp.Authorization.OrganizationUnits/System/Security/Principal/AbpClaimOrganizationUnitsExtensions.cs b/aspnet-core/modules/authorization/LINGYUN.Abp.Authorization.OrganizationUnits/System/Security/Principal/AbpClaimOrganizationUnitsExtensions.cs
new file mode 100644
index 000000000..21d4d64d6
--- /dev/null
+++ b/aspnet-core/modules/authorization/LINGYUN.Abp.Authorization.OrganizationUnits/System/Security/Principal/AbpClaimOrganizationUnitsExtensions.cs
@@ -0,0 +1,34 @@
+using JetBrains.Annotations;
+using LINGYUN.Abp.Authorization.OrganizationUnits;
+using System.Collections.Generic;
+using System.Linq;
+using System.Security.Claims;
+using Volo.Abp;
+
+namespace System.Security.Principal;
+
+public static class AbpClaimOrganizationUnitsExtensions
+{
+    public static Guid[] FindOrganizationUnits([NotNull] this ClaimsPrincipal principal)
+    {
+        Check.NotNull(principal, nameof(principal));
+
+        var userOusOrNull = principal.Claims?.Where(c => c.Type == AbpOrganizationUnitClaimTypes.OrganizationUnit);
+        if (userOusOrNull == null || !userOusOrNull.Any())
+        {
+            return new Guid[0];
+        }
+
+        var userOus = new List<Guid>();
+
+        foreach (var userOusClaim in userOusOrNull)
+        {
+            if (Guid.TryParse(userOusClaim.Value, out var guid))
+            {
+                userOus.Add(guid);
+            }
+        }
+
+        return userOus.ToArray();
+    }
+}
diff --git a/aspnet-core/modules/authorization/LINGYUN.Abp.Authorization.OrganizationUnits/Volo/Abp/Users/CurrentUserOrganizationUnitsExtensions.cs b/aspnet-core/modules/authorization/LINGYUN.Abp.Authorization.OrganizationUnits/Volo/Abp/Users/CurrentUserOrganizationUnitsExtensions.cs
new file mode 100644
index 000000000..fce71345f
--- /dev/null
+++ b/aspnet-core/modules/authorization/LINGYUN.Abp.Authorization.OrganizationUnits/Volo/Abp/Users/CurrentUserOrganizationUnitsExtensions.cs
@@ -0,0 +1,30 @@
+using JetBrains.Annotations;
+using LINGYUN.Abp.Authorization.OrganizationUnits;
+using System;
+using System.Collections.Generic;
+
+namespace Volo.Abp.Users;
+
+public static class CurrentUserOrganizationUnitsExtensions
+{
+    public static Guid[] FindOrganizationUnits([NotNull] this ICurrentUser currentUser)
+    {
+        var organizationUnits = currentUser.FindClaims(AbpOrganizationUnitClaimTypes.OrganizationUnit);
+        if (organizationUnits.IsNullOrEmpty())
+        {
+            return new Guid[0];
+        }
+
+        var userOus = new List<Guid>();
+
+        foreach (var userOusClaim in organizationUnits)
+        {
+            if (Guid.TryParse(userOusClaim.Value, out var guid))
+            {
+                userOus.Add(guid);
+            }
+        }
+
+        return userOus.ToArray();
+    }
+}
diff --git a/aspnet-core/modules/authorization/LINGYUN.Abp.Identity.OrganizaztionUnits/FodyWeavers.xml b/aspnet-core/modules/authorization/LINGYUN.Abp.Identity.OrganizaztionUnits/FodyWeavers.xml
new file mode 100644
index 000000000..1715698cc
--- /dev/null
+++ b/aspnet-core/modules/authorization/LINGYUN.Abp.Identity.OrganizaztionUnits/FodyWeavers.xml
@@ -0,0 +1,3 @@
+<Weavers xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="FodyWeavers.xsd">
+  <ConfigureAwait ContinueOnCapturedContext="false" />
+</Weavers>
\ No newline at end of file
diff --git a/aspnet-core/modules/authorization/LINGYUN.Abp.Identity.OrganizaztionUnits/FodyWeavers.xsd b/aspnet-core/modules/authorization/LINGYUN.Abp.Identity.OrganizaztionUnits/FodyWeavers.xsd
new file mode 100644
index 000000000..11da52550
--- /dev/null
+++ b/aspnet-core/modules/authorization/LINGYUN.Abp.Identity.OrganizaztionUnits/FodyWeavers.xsd
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
+  <!-- This file was generated by Fody. Manual changes to this file will be lost when your project is rebuilt. -->
+  <xs:element name="Weavers">
+    <xs:complexType>
+      <xs:all>
+        <xs:element name="ConfigureAwait" minOccurs="0" maxOccurs="1">
+          <xs:complexType>
+            <xs:attribute name="ContinueOnCapturedContext" type="xs:boolean" />
+          </xs:complexType>
+        </xs:element>
+      </xs:all>
+      <xs:attribute name="VerifyAssembly" type="xs:boolean">
+        <xs:annotation>
+          <xs:documentation>'true' to run assembly verification (PEVerify) on the target assembly after all weavers have been executed.</xs:documentation>
+        </xs:annotation>
+      </xs:attribute>
+      <xs:attribute name="VerifyIgnoreCodes" type="xs:string">
+        <xs:annotation>
+          <xs:documentation>A comma-separated list of error codes that can be safely ignored in assembly verification.</xs:documentation>
+        </xs:annotation>
+      </xs:attribute>
+      <xs:attribute name="GenerateXsd" type="xs:boolean">
+        <xs:annotation>
+          <xs:documentation>'false' to turn off automatic generation of the XML Schema file.</xs:documentation>
+        </xs:annotation>
+      </xs:attribute>
+    </xs:complexType>
+  </xs:element>
+</xs:schema>
\ No newline at end of file
diff --git a/aspnet-core/modules/authorization/LINGYUN.Abp.Identity.OrganizaztionUnits/LINGYUN.Abp.Identity.OrganizaztionUnits.csproj b/aspnet-core/modules/authorization/LINGYUN.Abp.Identity.OrganizaztionUnits/LINGYUN.Abp.Identity.OrganizaztionUnits.csproj
new file mode 100644
index 000000000..f9b0d8d9c
--- /dev/null
+++ b/aspnet-core/modules/authorization/LINGYUN.Abp.Identity.OrganizaztionUnits/LINGYUN.Abp.Identity.OrganizaztionUnits.csproj
@@ -0,0 +1,16 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+	<Import Project="..\..\..\configureawait.props" />
+	<Import Project="..\..\..\common.props" />
+
+	<PropertyGroup>
+		<TargetFramework>netstandard2.0</TargetFramework>
+		<RootNamespace />
+	</PropertyGroup>
+
+	<ItemGroup>
+		<ProjectReference Include="..\..\identity\LINGYUN.Abp.Identity.Domain\LINGYUN.Abp.Identity.Domain.csproj" />
+		<ProjectReference Include="..\LINGYUN.Abp.Authorization.OrganizationUnits\LINGYUN.Abp.Authorization.OrganizationUnits.csproj" />
+	</ItemGroup>
+
+</Project>
diff --git a/aspnet-core/modules/authorization/LINGYUN.Abp.Identity.OrganizaztionUnits/LINGYUN/Abp/Identity/OrganizaztionUnits/AbpIdentityOrganizaztionUnitsModule.cs b/aspnet-core/modules/authorization/LINGYUN.Abp.Identity.OrganizaztionUnits/LINGYUN/Abp/Identity/OrganizaztionUnits/AbpIdentityOrganizaztionUnitsModule.cs
new file mode 100644
index 000000000..0f96210dc
--- /dev/null
+++ b/aspnet-core/modules/authorization/LINGYUN.Abp.Identity.OrganizaztionUnits/LINGYUN/Abp/Identity/OrganizaztionUnits/AbpIdentityOrganizaztionUnitsModule.cs
@@ -0,0 +1,11 @@
+using LINGYUN.Abp.Authorization.OrganizationUnits;
+using Volo.Abp.Modularity;
+
+namespace LINGYUN.Abp.Identity.OrganizaztionUnits;
+
+[DependsOn(typeof(AbpIdentityDomainModule))]
+[DependsOn(typeof(AbpAuthorizationOrganizationUnitsModule))]
+public class AbpIdentityOrganizaztionUnitsModule : AbpModule
+{
+
+}
diff --git a/aspnet-core/modules/authorization/LINGYUN.Abp.Identity.OrganizaztionUnits/LINGYUN/Abp/Identity/OrganizaztionUnits/OrganizationUnitClaimsPrincipalContributor.cs b/aspnet-core/modules/authorization/LINGYUN.Abp.Identity.OrganizaztionUnits/LINGYUN/Abp/Identity/OrganizaztionUnits/OrganizationUnitClaimsPrincipalContributor.cs
new file mode 100644
index 000000000..9854e9c38
--- /dev/null
+++ b/aspnet-core/modules/authorization/LINGYUN.Abp.Identity.OrganizaztionUnits/LINGYUN/Abp/Identity/OrganizaztionUnits/OrganizationUnitClaimsPrincipalContributor.cs
@@ -0,0 +1,57 @@
+using LINGYUN.Abp.Authorization.OrganizationUnits;
+using System.Linq;
+using System.Security.Claims;
+using System.Security.Principal;
+using System.Threading.Tasks;
+using Volo.Abp.DependencyInjection;
+using Volo.Abp.Security.Claims;
+
+namespace LINGYUN.Abp.Identity.OrganizationUnits;
+
+public class OrganizationUnitClaimsPrincipalContributor : IAbpClaimsPrincipalContributor, ITransientDependency
+{
+    // https://github.com/dotnet/aspnetcore/blob/v5.0.0/src/Identity/Extensions.Core/src/UserClaimsPrincipalFactory.cs#L79
+    private static string IdentityAuthenticationType => "Identity.Application";
+
+    private readonly IIdentityUserRepository _identityUserRepository;
+    private readonly IIdentityRoleRepository _identityRoleRepository;
+
+    public OrganizationUnitClaimsPrincipalContributor(
+        IIdentityUserRepository identityUserRepository,
+        IIdentityRoleRepository identityRoleRepository)
+    {
+        _identityUserRepository = identityUserRepository;
+        _identityRoleRepository = identityRoleRepository;
+    }
+
+    public async virtual Task ContributeAsync(AbpClaimsPrincipalContributorContext context)
+    {
+        var claimsIdentity = context.ClaimsPrincipal.Identities.First(x => x.AuthenticationType == IdentityAuthenticationType);
+
+        var userId = claimsIdentity.FindUserId();
+        if (!userId.HasValue)
+        {
+            return;
+        }
+
+        var userOus = await _identityUserRepository.GetOrganizationUnitsAsync(userId.Value);
+
+        foreach (var userOu in userOus)
+        {
+            claimsIdentity.AddClaim(new Claim(AbpOrganizationUnitClaimTypes.OrganizationUnit, userOu.Id.ToString()));
+        }
+
+        var userRoles = claimsIdentity
+            .FindAll(x => x.Type == AbpClaimTypes.Role)
+            .Select(x => x.Value)
+            .Distinct();
+
+        var roleOus = await _identityRoleRepository.GetOrganizationUnitsAsync(userRoles);
+        foreach (var roleOu in roleOus)
+        {
+            claimsIdentity.AddClaim(new Claim(AbpOrganizationUnitClaimTypes.OrganizationUnit, roleOu.Id.ToString()));
+        }
+
+        context.ClaimsPrincipal.AddIdentityIfNotContains(claimsIdentity);
+    }
+}
diff --git a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/IdentityPermissionDefinitionProvider.cs b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/IdentityPermissionDefinitionProvider.cs
index 8a03ec30f..2901e661b 100644
--- a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/IdentityPermissionDefinitionProvider.cs
+++ b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/IdentityPermissionDefinitionProvider.cs
@@ -32,6 +32,7 @@ namespace LINGYUN.Abp.Identity
                 origanizationUnitPermission.AddChild(IdentityPermissions.OrganizationUnits.Delete, L("Permission:Delete"));
                 origanizationUnitPermission.AddChild(IdentityPermissions.OrganizationUnits.ManageRoles, L("Permission:ManageRoles"));
                 origanizationUnitPermission.AddChild(IdentityPermissions.OrganizationUnits.ManageUsers, L("Permission:ManageUsers"));
+                origanizationUnitPermission.AddChild(IdentityPermissions.OrganizationUnits.ManagePermissions, L("Permission:ChangePermissions"));
 
                 // 2020-10-23 修复Bug 租户用户也必须能查询自定义的声明, 管理权限只能为主机
                 var identityClaimType = identityGroup.AddPermission(IdentityPermissions.IdentityClaimType.Default, L("Permission:IdentityClaimTypeManagement"));
diff --git a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/IdentityPermissions.cs b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/IdentityPermissions.cs
index 1c9780c9b..af54cac5f 100644
--- a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/IdentityPermissions.cs
+++ b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/IdentityPermissions.cs
@@ -23,7 +23,8 @@ namespace LINGYUN.Abp.Identity
             public const string Update = Default + ".Update";
             public const string Delete = Default + ".Delete";
             public const string ManageUsers = Default + ".ManageUsers";
-            public const string ManageRoles = Default + ".ManageRoles";
+            public const string ManageRoles = Default + ".ManageRoles";
+            public const string ManagePermissions = Default + ".ManagePermissions";
         }
 
         public static class IdentityClaimType
diff --git a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Domain/LINGYUN/Abp/Identity/IIdentityRoleRepository.cs b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Domain/LINGYUN/Abp/Identity/IIdentityRoleRepository.cs
index 58d93a49b..2a132c9d6 100644
--- a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Domain/LINGYUN/Abp/Identity/IIdentityRoleRepository.cs
+++ b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Domain/LINGYUN/Abp/Identity/IIdentityRoleRepository.cs
@@ -19,6 +19,11 @@ namespace LINGYUN.Abp.Identity
             bool includeDetails = false,
             CancellationToken cancellationToken = default);
 
+        Task<List<OrganizationUnit>> GetOrganizationUnitsAsync(
+            IEnumerable<string> roleNames,
+            bool includeDetails = false,
+            CancellationToken cancellationToken = default);
+
         Task<List<IdentityRole>> GetRolesInOrganizationUnitAsync(
             Guid organizationUnitId,
             CancellationToken cancellationToken = default
diff --git a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.EntityFrameworkCore/LINGYUN/Abp/Identity/EntityFrameworkCore/EfCoreIdentityRoleRepository.cs b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.EntityFrameworkCore/LINGYUN/Abp/Identity/EntityFrameworkCore/EfCoreIdentityRoleRepository.cs
index 3ec97058d..dbcc14ac7 100644
--- a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.EntityFrameworkCore/LINGYUN/Abp/Identity/EntityFrameworkCore/EfCoreIdentityRoleRepository.cs
+++ b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.EntityFrameworkCore/LINGYUN/Abp/Identity/EntityFrameworkCore/EfCoreIdentityRoleRepository.cs
@@ -44,6 +44,21 @@ namespace LINGYUN.Abp.Identity.EntityFrameworkCore
             return await query.ToListAsync(GetCancellationToken(cancellationToken));
         }
 
+        public virtual async Task<List<OrganizationUnit>> GetOrganizationUnitsAsync(
+            IEnumerable<string> roleNames,
+            bool includeDetails = false,
+            CancellationToken cancellationToken = default)
+        {
+            var dbContext = await GetDbContextAsync();
+            var query = from roleOU in dbContext.Set<OrganizationUnitRole>()
+                        join role in dbContext.Roles on roleOU.RoleId equals role.Id
+                        join ou in dbContext.OrganizationUnits.IncludeDetails(includeDetails) on roleOU.OrganizationUnitId equals ou.Id
+                        where roleNames.Contains(role.Name)
+                        select ou;
+
+            return await query.ToListAsync(GetCancellationToken(cancellationToken));
+        }
+
         public virtual async Task<List<IdentityRole>> GetRolesInOrganizationsListAsync(
             List<Guid> organizationUnitIds, 
             CancellationToken cancellationToken = default)
diff --git a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.EntityFrameworkCore/LINGYUN/Abp/Identity/EntityFrameworkCore/EfCoreIdentityUserRepository.cs b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.EntityFrameworkCore/LINGYUN/Abp/Identity/EntityFrameworkCore/EfCoreIdentityUserRepository.cs
index 27daf74df..9ebd9515d 100644
--- a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.EntityFrameworkCore/LINGYUN/Abp/Identity/EntityFrameworkCore/EfCoreIdentityUserRepository.cs
+++ b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.EntityFrameworkCore/LINGYUN/Abp/Identity/EntityFrameworkCore/EfCoreIdentityUserRepository.cs
@@ -79,8 +79,29 @@ namespace LINGYUN.Abp.Identity.EntityFrameworkCore
         )
         {
             var dbContext = await GetDbContextAsync();
+            //var userUoDbSet = dbContext.Set<IdentityUserOrganizationUnit>();
+            //var roleUoDbSet = dbContext.Set<OrganizationUnitRole>();
+            //var userRoleDbSet = dbContext.Set<IdentityUserRole>();
+
+            //var userUo = from usrUo in userUoDbSet
+            //             join usr in dbContext.Users on usrUo.UserId equals usr.Id
+            //             join ou in dbContext.OrganizationUnits.IncludeDetails(includeDetails)
+            //                on usrUo.OrganizationUnitId equals ou.Id
+            //             where usr.Id == id
+            //             select ou;
+
+            //var roleUo = from urol in userRoleDbSet
+            //             join rol in dbContext.Roles on urol.RoleId equals rol.Id
+            //             join rolUo in roleUoDbSet on rol.Id equals rolUo.RoleId
+            //             join ou in dbContext.OrganizationUnits.IncludeDetails(includeDetails)
+            //                on rolUo.OrganizationUnitId equals ou.Id
+            //             where urol.UserId == id
+            //             select ou;
+
             var query = from userOU in dbContext.Set<IdentityUserOrganizationUnit>()
-                        join ou in dbContext.OrganizationUnits.IncludeDetails(includeDetails) on userOU.OrganizationUnitId equals ou.Id
+                        join ro in dbContext.Set<IdentityUserRole>() on userOU.UserId equals ro.UserId
+                        join ou in dbContext.OrganizationUnits.IncludeDetails(includeDetails)
+                            on userOU.OrganizationUnitId equals ou.Id
                         where userOU.UserId == id
                         select ou;
 
diff --git a/aspnet-core/modules/permissions-management/LINGYUN.Abp.PermissionManagement.Domain.OrganizationUnits/FodyWeavers.xml b/aspnet-core/modules/permissions-management/LINGYUN.Abp.PermissionManagement.Domain.OrganizationUnits/FodyWeavers.xml
new file mode 100644
index 000000000..1715698cc
--- /dev/null
+++ b/aspnet-core/modules/permissions-management/LINGYUN.Abp.PermissionManagement.Domain.OrganizationUnits/FodyWeavers.xml
@@ -0,0 +1,3 @@
+<Weavers xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="FodyWeavers.xsd">
+  <ConfigureAwait ContinueOnCapturedContext="false" />
+</Weavers>
\ No newline at end of file
diff --git a/aspnet-core/modules/permissions-management/LINGYUN.Abp.PermissionManagement.Domain.OrganizationUnits/FodyWeavers.xsd b/aspnet-core/modules/permissions-management/LINGYUN.Abp.PermissionManagement.Domain.OrganizationUnits/FodyWeavers.xsd
new file mode 100644
index 000000000..11da52550
--- /dev/null
+++ b/aspnet-core/modules/permissions-management/LINGYUN.Abp.PermissionManagement.Domain.OrganizationUnits/FodyWeavers.xsd
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="utf-8"?>
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema">
+  <!-- This file was generated by Fody. Manual changes to this file will be lost when your project is rebuilt. -->
+  <xs:element name="Weavers">
+    <xs:complexType>
+      <xs:all>
+        <xs:element name="ConfigureAwait" minOccurs="0" maxOccurs="1">
+          <xs:complexType>
+            <xs:attribute name="ContinueOnCapturedContext" type="xs:boolean" />
+          </xs:complexType>
+        </xs:element>
+      </xs:all>
+      <xs:attribute name="VerifyAssembly" type="xs:boolean">
+        <xs:annotation>
+          <xs:documentation>'true' to run assembly verification (PEVerify) on the target assembly after all weavers have been executed.</xs:documentation>
+        </xs:annotation>
+      </xs:attribute>
+      <xs:attribute name="VerifyIgnoreCodes" type="xs:string">
+        <xs:annotation>
+          <xs:documentation>A comma-separated list of error codes that can be safely ignored in assembly verification.</xs:documentation>
+        </xs:annotation>
+      </xs:attribute>
+      <xs:attribute name="GenerateXsd" type="xs:boolean">
+        <xs:annotation>
+          <xs:documentation>'false' to turn off automatic generation of the XML Schema file.</xs:documentation>
+        </xs:annotation>
+      </xs:attribute>
+    </xs:complexType>
+  </xs:element>
+</xs:schema>
\ No newline at end of file
diff --git a/aspnet-core/modules/permissions-management/LINGYUN.Abp.PermissionManagement.Domain.OrganizationUnits/LINGYUN.Abp.PermissionManagement.Domain.OrganizationUnits.csproj b/aspnet-core/modules/permissions-management/LINGYUN.Abp.PermissionManagement.Domain.OrganizationUnits/LINGYUN.Abp.PermissionManagement.Domain.OrganizationUnits.csproj
new file mode 100644
index 000000000..553948488
--- /dev/null
+++ b/aspnet-core/modules/permissions-management/LINGYUN.Abp.PermissionManagement.Domain.OrganizationUnits/LINGYUN.Abp.PermissionManagement.Domain.OrganizationUnits.csproj
@@ -0,0 +1,20 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+	<Import Project="..\..\..\configureawait.props" />
+	<Import Project="..\..\..\common.props" />
+
+	<PropertyGroup>
+		<TargetFramework>netstandard2.0</TargetFramework>
+		<RootNamespace />
+	</PropertyGroup>
+
+	<ItemGroup>
+		<PackageReference Include="Volo.Abp.PermissionManagement.Domain" Version="$(VoloAbpPackageVersion)" />
+	</ItemGroup>
+
+	<ItemGroup>
+		<ProjectReference Include="..\..\authorization\LINGYUN.Abp.Authorization.OrganizationUnits\LINGYUN.Abp.Authorization.OrganizationUnits.csproj" />
+		<ProjectReference Include="..\..\identity\LINGYUN.Abp.Identity.Domain\LINGYUN.Abp.Identity.Domain.csproj" />
+	</ItemGroup>
+
+</Project>
diff --git a/aspnet-core/modules/permissions-management/LINGYUN.Abp.PermissionManagement.Domain.OrganizationUnits/LINGYUN/Abp/PermissionManagement/OrganizationUnits/AbpPermissionManagementDomainOrganizationUnitsModule.cs b/aspnet-core/modules/permissions-management/LINGYUN.Abp.PermissionManagement.Domain.OrganizationUnits/LINGYUN/Abp/PermissionManagement/OrganizationUnits/AbpPermissionManagementDomainOrganizationUnitsModule.cs
new file mode 100644
index 000000000..cf57e6907
--- /dev/null
+++ b/aspnet-core/modules/permissions-management/LINGYUN.Abp.PermissionManagement.Domain.OrganizationUnits/LINGYUN/Abp/PermissionManagement/OrganizationUnits/AbpPermissionManagementDomainOrganizationUnitsModule.cs
@@ -0,0 +1,25 @@
+using LINGYUN.Abp.Authorization.OrganizationUnits;
+using LINGYUN.Abp.Authorization.Permissions;
+using LINGYUN.Abp.Identity;
+using Volo.Abp.Modularity;
+using Volo.Abp.PermissionManagement;
+
+namespace LINGYUN.Abp.PermissionManagement.OrganizationUnits;
+
+[DependsOn(
+    typeof(AbpIdentityDomainModule),
+    typeof(AbpPermissionManagementDomainModule),
+    typeof(AbpAuthorizationOrganizationUnitsModule)
+    )]
+public class AbpPermissionManagementDomainOrganizationUnitsModule : AbpModule
+{
+    public override void ConfigureServices(ServiceConfigurationContext context)
+    {
+        Configure<PermissionManagementOptions>(options =>
+        {
+            options.ManagementProviders.Add<OrganizationUnitPermissionManagementProvider>();
+
+            options.ProviderPolicies[OrganizationUnitPermissionValueProvider.ProviderName] = "AbpIdentity.OrganizationUnits.ManagePermissions";
+        });
+    }
+}
diff --git a/aspnet-core/modules/permissions-management/LINGYUN.Abp.PermissionManagement.Domain.OrganizationUnits/LINGYUN/Abp/PermissionManagement/OrganizationUnits/OrganizationUnitDeletedEventHandler.cs b/aspnet-core/modules/permissions-management/LINGYUN.Abp.PermissionManagement.Domain.OrganizationUnits/LINGYUN/Abp/PermissionManagement/OrganizationUnits/OrganizationUnitDeletedEventHandler.cs
new file mode 100644
index 000000000..01df3ad84
--- /dev/null
+++ b/aspnet-core/modules/permissions-management/LINGYUN.Abp.PermissionManagement.Domain.OrganizationUnits/LINGYUN/Abp/PermissionManagement/OrganizationUnits/OrganizationUnitDeletedEventHandler.cs
@@ -0,0 +1,26 @@
+using LINGYUN.Abp.Authorization.Permissions;
+using System.Threading.Tasks;
+using Volo.Abp.DependencyInjection;
+using Volo.Abp.Domain.Entities.Events.Distributed;
+using Volo.Abp.EventBus.Distributed;
+using Volo.Abp.Identity;
+using Volo.Abp.PermissionManagement;
+
+namespace LINGYUN.Abp.PermissionManagement.OrganizationUnits;
+
+public class OrganizationUnitDeletedEventHandler :
+    IDistributedEventHandler<EntityDeletedEto<OrganizationUnitEto>>,
+    ITransientDependency
+{
+    protected IPermissionManager PermissionManager { get; }
+
+    public OrganizationUnitDeletedEventHandler(IPermissionManager permissionManager)
+    {
+        PermissionManager = permissionManager;
+    }
+
+    public async Task HandleEventAsync(EntityDeletedEto<OrganizationUnitEto> eventData)
+    {
+        await PermissionManager.DeleteAsync(OrganizationUnitPermissionValueProvider.ProviderName, eventData.Entity.Id.ToString());
+    }
+}
diff --git a/aspnet-core/modules/permissions-management/LINGYUN.Abp.PermissionManagement.Domain.OrganizationUnits/LINGYUN/Abp/PermissionManagement/OrganizationUnits/OrganizationUnitPermissionManagementProvider.cs b/aspnet-core/modules/permissions-management/LINGYUN.Abp.PermissionManagement.Domain.OrganizationUnits/LINGYUN/Abp/PermissionManagement/OrganizationUnits/OrganizationUnitPermissionManagementProvider.cs
new file mode 100644
index 000000000..a52317dc0
--- /dev/null
+++ b/aspnet-core/modules/permissions-management/LINGYUN.Abp.PermissionManagement.Domain.OrganizationUnits/LINGYUN/Abp/PermissionManagement/OrganizationUnits/OrganizationUnitPermissionManagementProvider.cs
@@ -0,0 +1,96 @@
+using LINGYUN.Abp.Authorization.Permissions;
+using LINGYUN.Abp.Identity;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+using Volo.Abp.Authorization.Permissions;
+using Volo.Abp.Guids;
+using Volo.Abp.MultiTenancy;
+using Volo.Abp.PermissionManagement;
+using UserManager = Volo.Abp.Identity.IdentityUserManager;
+
+namespace LINGYUN.Abp.PermissionManagement.OrganizationUnits;
+public class OrganizationUnitPermissionManagementProvider : PermissionManagementProvider
+{
+    public override string Name => OrganizationUnitPermissionValueProvider.ProviderName;
+
+    protected UserManager UserManager { get; }
+    protected IIdentityUserRepository IdentityUserRepository { get; }
+    protected IIdentityRoleRepository IdentityRoleRepository { get; }
+
+    public OrganizationUnitPermissionManagementProvider(
+        IPermissionGrantRepository permissionGrantRepository,
+        IIdentityUserRepository identityUserRepository,
+        IIdentityRoleRepository identityRoleRepository,
+        UserManager userManager,
+        IGuidGenerator guidGenerator,
+        ICurrentTenant currentTenant)
+        : base(
+            permissionGrantRepository,
+            guidGenerator,
+            currentTenant)
+    {
+        UserManager = userManager;
+        IdentityUserRepository = identityUserRepository;
+        IdentityRoleRepository = identityRoleRepository;
+    }
+
+    public override async Task<PermissionValueProviderGrantInfo> CheckAsync(string name, string providerName, string providerKey)
+    {
+        var multipleGrantInfo = await CheckAsync(new[] { name }, providerName, providerKey);
+
+        return multipleGrantInfo.Result.Values.First();
+    }
+
+    public override async Task<MultiplePermissionValueProviderGrantInfo> CheckAsync(string[] names, string providerName, string providerKey)
+    {
+        var multiplePermissionValueProviderGrantInfo = new MultiplePermissionValueProviderGrantInfo(names);
+        var permissionGrants = new List<PermissionGrant>();
+
+        if (providerName == Name)
+        {
+            permissionGrants.AddRange(await PermissionGrantRepository.GetListAsync(names, providerName, providerKey));
+
+        }
+
+        if (providerName == RolePermissionValueProvider.ProviderName)
+        {
+            var role = await IdentityRoleRepository.FindByNormalizedNameAsync(UserManager.NormalizeName(providerKey));
+            var organizationUnits = await IdentityRoleRepository.GetOrganizationUnitsAsync(role.Id);
+
+            foreach (var organizationUnit in organizationUnits)
+            {
+                permissionGrants.AddRange(await PermissionGrantRepository.GetListAsync(names, Name, organizationUnit.Id.ToString()));
+            }
+        }
+
+        if (providerName == UserPermissionValueProvider.ProviderName)
+        {
+            var userId = Guid.Parse(providerKey);
+            var organizationUnits = await IdentityUserRepository.GetOrganizationUnitsAsync(userId);
+
+            foreach (var organizationUnit in organizationUnits)
+            {
+                permissionGrants.AddRange(await PermissionGrantRepository.GetListAsync(names, Name, organizationUnit.Id.ToString()));
+            }
+        }
+
+        permissionGrants = permissionGrants.Distinct().ToList();
+        if (!permissionGrants.Any())
+        {
+            return multiplePermissionValueProviderGrantInfo;
+        }
+
+        foreach (var permissionName in names)
+        {
+            var permissionGrant = permissionGrants.FirstOrDefault(x => x.Name == permissionName);
+            if (permissionGrant != null)
+            {
+                multiplePermissionValueProviderGrantInfo.Result[permissionName] = new PermissionValueProviderGrantInfo(true, permissionGrant.ProviderKey);
+            }
+        }
+
+        return multiplePermissionValueProviderGrantInfo;
+    }
+}
diff --git a/aspnet-core/modules/permissions-management/LINGYUN.Abp.PermissionManagement.Domain.OrganizationUnits/Volo/Abp/PermissionManagement/OrganizationUnitPermissionManagerExtensions.cs b/aspnet-core/modules/permissions-management/LINGYUN.Abp.PermissionManagement.Domain.OrganizationUnits/Volo/Abp/PermissionManagement/OrganizationUnitPermissionManagerExtensions.cs
new file mode 100644
index 000000000..20ee29e9e
--- /dev/null
+++ b/aspnet-core/modules/permissions-management/LINGYUN.Abp.PermissionManagement.Domain.OrganizationUnits/Volo/Abp/PermissionManagement/OrganizationUnitPermissionManagerExtensions.cs
@@ -0,0 +1,40 @@
+using JetBrains.Annotations;
+using LINGYUN.Abp.Authorization.Permissions;
+using System;
+using System.Collections.Generic;
+using System.Threading.Tasks;
+
+namespace Volo.Abp.PermissionManagement;
+
+public static class OrganizationUnitPermissionManagerExtensions
+{
+    public static Task<PermissionWithGrantedProviders> GetForOrganizationUnitAsync(
+        [NotNull] this IPermissionManager permissionManager,
+        Guid organizationUnitId,
+        string permissionName)
+    {
+        Check.NotNull(permissionManager, nameof(permissionManager));
+
+        return permissionManager.GetAsync(permissionName, OrganizationUnitPermissionValueProvider.ProviderName, organizationUnitId.ToString());
+    }
+
+    public static Task<List<PermissionWithGrantedProviders>> GetAllForOrganizationUnitAsync(
+        [NotNull] this IPermissionManager permissionManager,
+        Guid organizationUnitId)
+    {
+        Check.NotNull(permissionManager, nameof(permissionManager));
+
+        return permissionManager.GetAllAsync(OrganizationUnitPermissionValueProvider.ProviderName, organizationUnitId.ToString());
+    }
+
+    public static Task SetForOrganizationUnitAsync(
+        [NotNull] this IPermissionManager permissionManager,
+        Guid organizationUnitId,
+        [NotNull] string permissionName,
+        bool isGranted)
+    {
+        Check.NotNull(permissionManager, nameof(permissionManager));
+
+        return permissionManager.SetAsync(permissionName, OrganizationUnitPermissionValueProvider.ProviderName, organizationUnitId.ToString(), isGranted);
+    }
+}
diff --git a/aspnet-core/services/LY.MicroService.BackendAdmin.HttpApi.Host/BackendAdminHttpApiHostModule.Configure.cs b/aspnet-core/services/LY.MicroService.BackendAdmin.HttpApi.Host/BackendAdminHttpApiHostModule.Configure.cs
index 5de9c1643..ac8d92932 100644
--- a/aspnet-core/services/LY.MicroService.BackendAdmin.HttpApi.Host/BackendAdminHttpApiHostModule.Configure.cs
+++ b/aspnet-core/services/LY.MicroService.BackendAdmin.HttpApi.Host/BackendAdminHttpApiHostModule.Configure.cs
@@ -119,8 +119,7 @@ public partial class BackendAdminHttpApiHostModule
         {
             // Rename IdentityServer.Client.ManagePermissions
             // See https://github.com/abpframework/abp/blob/dev/modules/identityserver/src/Volo.Abp.PermissionManagement.Domain.IdentityServer/Volo/Abp/PermissionManagement/IdentityServer/AbpPermissionManagementDomainIdentityServerModule.cs
-            options.ProviderPolicies[ClientPermissionValueProvider.ProviderName] =
-                LINGYUN.Abp.IdentityServer.AbpIdentityServerPermissions.Clients.ManagePermissions;
+            options.ProviderPolicies[ClientPermissionValueProvider.ProviderName] = "AbpIdentityServer.Clients.ManagePermissions";
         });
     }
 
diff --git a/aspnet-core/services/LY.MicroService.BackendAdmin.HttpApi.Host/BackendAdminHttpApiHostModule.cs b/aspnet-core/services/LY.MicroService.BackendAdmin.HttpApi.Host/BackendAdminHttpApiHostModule.cs
index 1a0c38792..927d353ce 100644
--- a/aspnet-core/services/LY.MicroService.BackendAdmin.HttpApi.Host/BackendAdminHttpApiHostModule.cs
+++ b/aspnet-core/services/LY.MicroService.BackendAdmin.HttpApi.Host/BackendAdminHttpApiHostModule.cs
@@ -6,10 +6,11 @@ using LINGYUN.Abp.Data.DbMigrator;
 using LINGYUN.Abp.EventBus.CAP;
 using LINGYUN.Abp.ExceptionHandling.Emailing;
 using LINGYUN.Abp.FeatureManagement;
+using LINGYUN.Abp.Identity.EntityFrameworkCore;
 using LINGYUN.Abp.Localization.CultureMap;
 using LINGYUN.Abp.LocalizationManagement.EntityFrameworkCore;
 using LINGYUN.Abp.Logging.Serilog.Elasticsearch;
-using LINGYUN.Abp.PermissionManagement.Identity;
+using LINGYUN.Abp.PermissionManagement.OrganizationUnits;
 using LINGYUN.Abp.Saas;
 using LINGYUN.Abp.Saas.EntityFrameworkCore;
 using LINGYUN.Abp.Serilog.Enrichers.Application;
@@ -29,12 +30,12 @@ using Volo.Abp.Caching.StackExchangeRedis;
 using Volo.Abp.EntityFrameworkCore.MySQL;
 using Volo.Abp.FeatureManagement;
 using Volo.Abp.FeatureManagement.EntityFrameworkCore;
-using Volo.Abp.Identity.EntityFrameworkCore;
 using Volo.Abp.IdentityServer.EntityFrameworkCore;
 using Volo.Abp.Modularity;
 using Volo.Abp.PermissionManagement;
 using Volo.Abp.PermissionManagement.EntityFrameworkCore;
 using Volo.Abp.PermissionManagement.HttpApi;
+using Volo.Abp.PermissionManagement.Identity;
 using Volo.Abp.PermissionManagement.IdentityServer;
 using Volo.Abp.SettingManagement.EntityFrameworkCore;
 
@@ -61,6 +62,7 @@ namespace LY.MicroService.BackendAdmin;
     typeof(AbpEntityFrameworkCoreMySQLModule),
     typeof(AbpIdentityEntityFrameworkCoreModule),// 用户角色权限需要引用包
     typeof(AbpIdentityServerEntityFrameworkCoreModule), // 客户端权限需要引用包
+    typeof(AbpPermissionManagementDomainOrganizationUnitsModule), // 组织机构权限管理
     typeof(AbpSaasEntityFrameworkCoreModule),
     typeof(AbpSettingManagementEntityFrameworkCoreModule),
     typeof(AbpPermissionManagementDomainIdentityModule),
diff --git a/aspnet-core/services/LY.MicroService.BackendAdmin.HttpApi.Host/LY.MicroService.BackendAdmin.HttpApi.Host.csproj b/aspnet-core/services/LY.MicroService.BackendAdmin.HttpApi.Host/LY.MicroService.BackendAdmin.HttpApi.Host.csproj
index 14c379ce8..300b51c12 100644
--- a/aspnet-core/services/LY.MicroService.BackendAdmin.HttpApi.Host/LY.MicroService.BackendAdmin.HttpApi.Host.csproj
+++ b/aspnet-core/services/LY.MicroService.BackendAdmin.HttpApi.Host/LY.MicroService.BackendAdmin.HttpApi.Host.csproj
@@ -41,7 +41,6 @@
 		<PackageReference Include="Volo.Abp.PermissionManagement.Domain.Identity" Version="$(VoloAbpPackageVersion)" />
 		<PackageReference Include="Volo.Abp.PermissionManagement.Domain.IdentityServer" Version="$(VoloAbpPackageVersion)" />
 		<PackageReference Include="Volo.Abp.PermissionManagement.HttpApi" Version="$(VoloAbpPackageVersion)" />
-		<PackageReference Include="Volo.Abp.Identity.EntityFrameworkCore" Version="$(VoloAbpPackageVersion)" />
 		<PackageReference Include="Volo.Abp.IdentityServer.EntityFrameworkCore" Version="$(VoloAbpPackageVersion)" />
 		<PackageReference Include="Volo.Abp.SettingManagement.EntityFrameworkCore" Version="$(VoloAbpPackageVersion)" />
 		<PackageReference Include="Volo.Abp.PermissionManagement.EntityFrameworkCore" Version="$(VoloAbpPackageVersion)" />
@@ -57,14 +56,15 @@
 		<ProjectReference Include="..\..\modules\common\LINGYUN.Abp.ExceptionHandling.Emailing\LINGYUN.Abp.ExceptionHandling.Emailing.csproj" />
 		<ProjectReference Include="..\..\modules\common\LINGYUN.Abp.Localization.Dynamic\LINGYUN.Abp.Localization.Dynamic.csproj" />
 		<ProjectReference Include="..\..\modules\features\LINGYUN.Abp.FeatureManagement.Client\LINGYUN.Abp.FeatureManagement.Client.csproj" />
-		<ProjectReference Include="..\..\modules\identityServer\LINGYUN.Abp.IdentityServer.Application.Contracts\LINGYUN.Abp.IdentityServer.Application.Contracts.csproj" />
+		<ProjectReference Include="..\..\modules\identity\LINGYUN.Abp.Identity.EntityFrameworkCore\LINGYUN.Abp.Identity.EntityFrameworkCore.csproj" />
 		<ProjectReference Include="..\..\modules\localization\LINGYUN.Abp.Localization.CultureMap\LINGYUN.Abp.Localization.CultureMap.csproj" />
 		<ProjectReference Include="..\..\modules\logging\LINGYUN.Abp.Logging.Serilog.Elasticsearch\LINGYUN.Abp.Logging.Serilog.Elasticsearch.csproj" />
 		<ProjectReference Include="..\..\modules\logging\LINGYUN.Abp.Serilog.Enrichers.Application\LINGYUN.Abp.Serilog.Enrichers.Application.csproj" />
 		<ProjectReference Include="..\..\modules\logging\LINGYUN.Abp.Serilog.Enrichers.UniqueId\LINGYUN.Abp.Serilog.Enrichers.UniqueId.csproj" />
 		<ProjectReference Include="..\..\modules\lt\LINGYUN.Abp.LocalizationManagement.EntityFrameworkCore\LINGYUN.Abp.LocalizationManagement.EntityFrameworkCore.csproj" />
-		<ProjectReference Include="..\..\modules\identity\LINGYUN.Abp.PermissionManagement.Domain.Identity\LINGYUN.Abp.PermissionManagement.Domain.Identity.csproj" />
+		<!--<ProjectReference Include="..\..\modules\identity\LINGYUN.Abp.PermissionManagement.Domain.Identity\LINGYUN.Abp.PermissionManagement.Domain.Identity.csproj" />-->
 		<ProjectReference Include="..\..\modules\common\LINGYUN.Abp.Sms.Aliyun\LINGYUN.Abp.Sms.Aliyun.csproj" />
+		<ProjectReference Include="..\..\modules\permissions-management\LINGYUN.Abp.PermissionManagement.Domain.OrganizationUnits\LINGYUN.Abp.PermissionManagement.Domain.OrganizationUnits.csproj" />
 		<ProjectReference Include="..\..\modules\settings\LINGYUN.Abp.SettingManagement.Application\LINGYUN.Abp.SettingManagement.Application.csproj" />
 		<ProjectReference Include="..\..\modules\settings\LINGYUN.Abp.SettingManagement.HttpApi\LINGYUN.Abp.SettingManagement.HttpApi.csproj" />
 		<ProjectReference Include="..\..\modules\saas\LINGYUN.Abp.Saas.Application\LINGYUN.Abp.Saas.Application.csproj" />
diff --git a/aspnet-core/services/LY.MicroService.LocalizationManagement.HttpApi.Host/LY.MicroService.LocalizationManagement.HttpApi.Host.csproj b/aspnet-core/services/LY.MicroService.LocalizationManagement.HttpApi.Host/LY.MicroService.LocalizationManagement.HttpApi.Host.csproj
index 60cfd030f..b83c5968e 100644
--- a/aspnet-core/services/LY.MicroService.LocalizationManagement.HttpApi.Host/LY.MicroService.LocalizationManagement.HttpApi.Host.csproj
+++ b/aspnet-core/services/LY.MicroService.LocalizationManagement.HttpApi.Host/LY.MicroService.LocalizationManagement.HttpApi.Host.csproj
@@ -36,6 +36,7 @@
 
 	<ItemGroup>
 		<ProjectReference Include="..\..\modules\auditing\LINGYUN.Abp.AuditLogging.Elasticsearch\LINGYUN.Abp.AuditLogging.Elasticsearch.csproj" />
+		<ProjectReference Include="..\..\modules\authorization\LINGYUN.Abp.Authorization.OrganizationUnits\LINGYUN.Abp.Authorization.OrganizationUnits.csproj" />
 		<ProjectReference Include="..\..\modules\common\LINGYUN.Abp.AspNetCore.HttpOverrides\LINGYUN.Abp.AspNetCore.HttpOverrides.csproj" />
 		<ProjectReference Include="..\..\modules\common\LINGYUN.Abp.Data.DbMigrator\LINGYUN.Abp.Data.DbMigrator.csproj" />
 		<ProjectReference Include="..\..\modules\common\LINGYUN.Abp.EventBus.CAP\LINGYUN.Abp.EventBus.CAP.csproj" />
diff --git a/aspnet-core/services/LY.MicroService.LocalizationManagement.HttpApi.Host/LocalizationManagementHttpApiHostModule.cs b/aspnet-core/services/LY.MicroService.LocalizationManagement.HttpApi.Host/LocalizationManagementHttpApiHostModule.cs
index 44553cb88..a5ae43a93 100644
--- a/aspnet-core/services/LY.MicroService.LocalizationManagement.HttpApi.Host/LocalizationManagementHttpApiHostModule.cs
+++ b/aspnet-core/services/LY.MicroService.LocalizationManagement.HttpApi.Host/LocalizationManagementHttpApiHostModule.cs
@@ -1,6 +1,7 @@
 using DotNetCore.CAP;
 using LINGYUN.Abp.AspNetCore.HttpOverrides;
 using LINGYUN.Abp.AuditLogging.Elasticsearch;
+using LINGYUN.Abp.Authorization.OrganizationUnits;
 using LINGYUN.Abp.Data.DbMigrator;
 using LINGYUN.Abp.EventBus.CAP;
 using LINGYUN.Abp.ExceptionHandling.Emailing;
@@ -41,6 +42,7 @@ namespace LY.MicroService.LocalizationManagement
         typeof(AbpPermissionManagementEntityFrameworkCoreModule),
         typeof(AbpDataDbMigratorModule),
         typeof(AbpAspNetCoreAuthenticationJwtBearerModule),
+        typeof(AbpAuthorizationOrganizationUnitsModule),
         typeof(AbpEmailingExceptionHandlingModule),
         typeof(AbpCAPEventBusModule),
         typeof(AbpCachingStackExchangeRedisModule),
diff --git a/aspnet-core/services/LY.MicroService.PlatformManagement.HttpApi.Host/LY.MicroService.PlatformManagement.HttpApi.Host.csproj b/aspnet-core/services/LY.MicroService.PlatformManagement.HttpApi.Host/LY.MicroService.PlatformManagement.HttpApi.Host.csproj
index 0c69ac63b..2aaaa465e 100644
--- a/aspnet-core/services/LY.MicroService.PlatformManagement.HttpApi.Host/LY.MicroService.PlatformManagement.HttpApi.Host.csproj
+++ b/aspnet-core/services/LY.MicroService.PlatformManagement.HttpApi.Host/LY.MicroService.PlatformManagement.HttpApi.Host.csproj
@@ -40,6 +40,7 @@
 
 	<ItemGroup>
 		<ProjectReference Include="..\..\modules\auditing\LINGYUN.Abp.AuditLogging.Elasticsearch\LINGYUN.Abp.AuditLogging.Elasticsearch.csproj" />
+		<ProjectReference Include="..\..\modules\authorization\LINGYUN.Abp.Authorization.OrganizationUnits\LINGYUN.Abp.Authorization.OrganizationUnits.csproj" />
 		<ProjectReference Include="..\..\modules\common\LINGYUN.Abp.AspNetCore.HttpOverrides\LINGYUN.Abp.AspNetCore.HttpOverrides.csproj" />
 		<ProjectReference Include="..\..\modules\common\LINGYUN.Abp.Data.DbMigrator\LINGYUN.Abp.Data.DbMigrator.csproj" />
 		<ProjectReference Include="..\..\modules\common\LINGYUN.Abp.EventBus.CAP\LINGYUN.Abp.EventBus.CAP.csproj" />
diff --git a/aspnet-core/services/LY.MicroService.PlatformManagement.HttpApi.Host/PlatformManagementHttpApiHostModule.cs b/aspnet-core/services/LY.MicroService.PlatformManagement.HttpApi.Host/PlatformManagementHttpApiHostModule.cs
index 294553b5a..bcdee3576 100644
--- a/aspnet-core/services/LY.MicroService.PlatformManagement.HttpApi.Host/PlatformManagementHttpApiHostModule.cs
+++ b/aspnet-core/services/LY.MicroService.PlatformManagement.HttpApi.Host/PlatformManagementHttpApiHostModule.cs
@@ -1,6 +1,7 @@
 using DotNetCore.CAP;
 using LINGYUN.Abp.AspNetCore.HttpOverrides;
 using LINGYUN.Abp.AuditLogging.Elasticsearch;
+using LINGYUN.Abp.Authorization.OrganizationUnits;
 using LINGYUN.Abp.Data.DbMigrator;
 using LINGYUN.Abp.EventBus.CAP;
 using LINGYUN.Abp.ExceptionHandling.Emailing;
@@ -64,6 +65,7 @@ namespace LY.MicroService.PlatformManagement;
     typeof(AbpLocalizationManagementEntityFrameworkCoreModule),
     typeof(AbpDataDbMigratorModule),
     typeof(AbpAspNetCoreAuthenticationJwtBearerModule),
+    typeof(AbpAuthorizationOrganizationUnitsModule),
     typeof(AbpNotificationModule),
     typeof(AbpEmailingExceptionHandlingModule),
     typeof(AbpCAPEventBusModule),
diff --git a/aspnet-core/services/LY.MicroService.RealtimeMessage.HttpApi.Host/LY.MicroService.RealtimeMessage.HttpApi.Host.csproj b/aspnet-core/services/LY.MicroService.RealtimeMessage.HttpApi.Host/LY.MicroService.RealtimeMessage.HttpApi.Host.csproj
index 40ffdc64f..b31fbd568 100644
--- a/aspnet-core/services/LY.MicroService.RealtimeMessage.HttpApi.Host/LY.MicroService.RealtimeMessage.HttpApi.Host.csproj
+++ b/aspnet-core/services/LY.MicroService.RealtimeMessage.HttpApi.Host/LY.MicroService.RealtimeMessage.HttpApi.Host.csproj
@@ -41,6 +41,7 @@
 
 	<ItemGroup>
 		<ProjectReference Include="..\..\modules\auditing\LINGYUN.Abp.AuditLogging.Elasticsearch\LINGYUN.Abp.AuditLogging.Elasticsearch.csproj" />
+		<ProjectReference Include="..\..\modules\authorization\LINGYUN.Abp.Authorization.OrganizationUnits\LINGYUN.Abp.Authorization.OrganizationUnits.csproj" />
 		<ProjectReference Include="..\..\modules\common\LINGYUN.Abp.AspNetCore.HttpOverrides\LINGYUN.Abp.AspNetCore.HttpOverrides.csproj" />
 		<ProjectReference Include="..\..\modules\common\LINGYUN.Abp.BackgroundWorkers.Hangfire\LINGYUN.Abp.BackgroundWorkers.Hangfire.csproj" />
 		<ProjectReference Include="..\..\modules\common\LINGYUN.Abp.Data.DbMigrator\LINGYUN.Abp.Data.DbMigrator.csproj" />
diff --git a/aspnet-core/services/LY.MicroService.RealtimeMessage.HttpApi.Host/RealtimeMessageHttpApiHostModule.cs b/aspnet-core/services/LY.MicroService.RealtimeMessage.HttpApi.Host/RealtimeMessageHttpApiHostModule.cs
index 69b28faef..3ae527f91 100644
--- a/aspnet-core/services/LY.MicroService.RealtimeMessage.HttpApi.Host/RealtimeMessageHttpApiHostModule.cs
+++ b/aspnet-core/services/LY.MicroService.RealtimeMessage.HttpApi.Host/RealtimeMessageHttpApiHostModule.cs
@@ -2,6 +2,7 @@
 using Hangfire;
 using LINGYUN.Abp.AspNetCore.HttpOverrides;
 using LINGYUN.Abp.AuditLogging.Elasticsearch;
+using LINGYUN.Abp.Authorization.OrganizationUnits;
 using LINGYUN.Abp.BackgroundJobs.Hangfire;
 using LINGYUN.Abp.BackgroundWorkers.Hangfire;
 using LINGYUN.Abp.Data.DbMigrator;
@@ -55,6 +56,7 @@ namespace LY.MicroService.RealtimeMessage
         typeof(AbpLocalizationManagementEntityFrameworkCoreModule),
         typeof(AbpDataDbMigratorModule),
         typeof(AbpAspNetCoreAuthenticationJwtBearerModule),
+        typeof(AbpAuthorizationOrganizationUnitsModule),
         typeof(AbpHangfireMySqlStorageModule),
         typeof(AbpBackgroundJobsHangfireModule),
         typeof(AbpBackgroundWorkersHangfireModule),
diff --git a/aspnet-core/services/LY.MicroService.TaskManagement.HttpApi.Host/LY.MicroService.TaskManagement.HttpApi.Host.csproj b/aspnet-core/services/LY.MicroService.TaskManagement.HttpApi.Host/LY.MicroService.TaskManagement.HttpApi.Host.csproj
index 293653249..16ad96963 100644
--- a/aspnet-core/services/LY.MicroService.TaskManagement.HttpApi.Host/LY.MicroService.TaskManagement.HttpApi.Host.csproj
+++ b/aspnet-core/services/LY.MicroService.TaskManagement.HttpApi.Host/LY.MicroService.TaskManagement.HttpApi.Host.csproj
@@ -54,6 +54,7 @@
 	</ItemGroup>
 
 	<ItemGroup>
+		<ProjectReference Include="..\..\modules\authorization\LINGYUN.Abp.Authorization.OrganizationUnits\LINGYUN.Abp.Authorization.OrganizationUnits.csproj" />
 		<ProjectReference Include="..\..\modules\common\LINGYUN.Abp.Data.DbMigrator\LINGYUN.Abp.Data.DbMigrator.csproj" />
 		<ProjectReference Include="..\..\modules\common\LINGYUN.Abp.EventBus.CAP\LINGYUN.Abp.EventBus.CAP.csproj" />
 		<ProjectReference Include="..\..\modules\common\LINGYUN.Abp.ExceptionHandling.Emailing\LINGYUN.Abp.ExceptionHandling.Emailing.csproj" />
diff --git a/aspnet-core/services/LY.MicroService.TaskManagement.HttpApi.Host/TaskManagementHttpApiHostModule.cs b/aspnet-core/services/LY.MicroService.TaskManagement.HttpApi.Host/TaskManagementHttpApiHostModule.cs
index ac0cc8b7d..832d13e55 100644
--- a/aspnet-core/services/LY.MicroService.TaskManagement.HttpApi.Host/TaskManagementHttpApiHostModule.cs
+++ b/aspnet-core/services/LY.MicroService.TaskManagement.HttpApi.Host/TaskManagementHttpApiHostModule.cs
@@ -1,5 +1,6 @@
 using DotNetCore.CAP;
 using LINGYUN.Abp.AuditLogging.Elasticsearch;
+using LINGYUN.Abp.Authorization.OrganizationUnits;
 using LINGYUN.Abp.BackgroundTasks.ExceptionHandling;
 using LINGYUN.Abp.BackgroundTasks.Jobs;
 using LINGYUN.Abp.BackgroundTasks.Quartz;
@@ -42,6 +43,7 @@ namespace LY.MicroService.TaskManagement;
     typeof(AbpDistributedLockingModule),
     typeof(AbpEntityFrameworkCoreMySQLModule),
     typeof(AbpAspNetCoreAuthenticationJwtBearerModule),
+    typeof(AbpAuthorizationOrganizationUnitsModule),
     typeof(AbpEmailingExceptionHandlingModule),
     typeof(AbpHttpClientIdentityModelWebModule),
     typeof(AbpAspNetCoreMultiTenancyModule),
diff --git a/aspnet-core/services/LY.MicroService.WebhooksManagement.HttpApi.Host/LY.MicroService.WebhooksManagement.HttpApi.Host.csproj b/aspnet-core/services/LY.MicroService.WebhooksManagement.HttpApi.Host/LY.MicroService.WebhooksManagement.HttpApi.Host.csproj
index e1a0c0cce..50c7fb7f7 100644
--- a/aspnet-core/services/LY.MicroService.WebhooksManagement.HttpApi.Host/LY.MicroService.WebhooksManagement.HttpApi.Host.csproj
+++ b/aspnet-core/services/LY.MicroService.WebhooksManagement.HttpApi.Host/LY.MicroService.WebhooksManagement.HttpApi.Host.csproj
@@ -46,6 +46,7 @@
 	</ItemGroup>
 
 	<ItemGroup>
+		<ProjectReference Include="..\..\modules\authorization\LINGYUN.Abp.Authorization.OrganizationUnits\LINGYUN.Abp.Authorization.OrganizationUnits.csproj" />
 		<ProjectReference Include="..\..\modules\webhooks\LINGYUN.Abp.Webhooks.Identity\LINGYUN.Abp.Webhooks.Identity.csproj" />
 		<ProjectReference Include="..\..\modules\webhooks\LINGYUN.Abp.Webhooks.Saas\LINGYUN.Abp.Webhooks.Saas.csproj" />
 		<ProjectReference Include="..\..\modules\webhooks\LINGYUN.Abp.WebhooksManagement.Application\LINGYUN.Abp.WebhooksManagement.Application.csproj" />
diff --git a/aspnet-core/services/LY.MicroService.WebhooksManagement.HttpApi.Host/WebhooksManagementHttpApiHostModule.cs b/aspnet-core/services/LY.MicroService.WebhooksManagement.HttpApi.Host/WebhooksManagementHttpApiHostModule.cs
index 8b50d4bc5..6e4e7b44b 100644
--- a/aspnet-core/services/LY.MicroService.WebhooksManagement.HttpApi.Host/WebhooksManagementHttpApiHostModule.cs
+++ b/aspnet-core/services/LY.MicroService.WebhooksManagement.HttpApi.Host/WebhooksManagementHttpApiHostModule.cs
@@ -1,6 +1,7 @@
 using DotNetCore.CAP;
 using LINGYUN.Abp.AspNetCore.Mvc.Wrapper;
 using LINGYUN.Abp.AuditLogging.Elasticsearch;
+using LINGYUN.Abp.Authorization.OrganizationUnits;
 using LINGYUN.Abp.BackgroundTasks.ExceptionHandling;
 using LINGYUN.Abp.BackgroundTasks.Quartz;
 using LINGYUN.Abp.EventBus.CAP;
@@ -50,6 +51,7 @@ namespace LY.MicroService.WebhooksManagement;
     typeof(TaskManagementEntityFrameworkCoreModule),
     typeof(AbpEntityFrameworkCoreMySQLModule),
     typeof(AbpAspNetCoreAuthenticationJwtBearerModule),
+    typeof(AbpAuthorizationOrganizationUnitsModule),
     typeof(AbpEmailingExceptionHandlingModule),
     typeof(AbpCAPEventBusModule),
     typeof(AbpHttpClientIdentityModelWebModule),
diff --git a/aspnet-core/services/LY.MicroService.identityServer.HttpApi.Host/IdentityServerHttpApiHostModule.cs b/aspnet-core/services/LY.MicroService.identityServer.HttpApi.Host/IdentityServerHttpApiHostModule.cs
index 6e1449c60..8ae20e3ff 100644
--- a/aspnet-core/services/LY.MicroService.identityServer.HttpApi.Host/IdentityServerHttpApiHostModule.cs
+++ b/aspnet-core/services/LY.MicroService.identityServer.HttpApi.Host/IdentityServerHttpApiHostModule.cs
@@ -1,6 +1,7 @@
 using DotNetCore.CAP;
 using LINGYUN.Abp.AspNetCore.HttpOverrides;
 using LINGYUN.Abp.AuditLogging.Elasticsearch;
+using LINGYUN.Abp.Authorization.OrganizationUnits;
 using LINGYUN.Abp.EventBus.CAP;
 using LINGYUN.Abp.ExceptionHandling.Emailing;
 using LINGYUN.Abp.Localization.CultureMap;
@@ -45,6 +46,7 @@ namespace LY.MicroService.IdentityServer;
     typeof(AbpPermissionManagementEntityFrameworkCoreModule),
     typeof(AbpLocalizationManagementEntityFrameworkCoreModule),
     typeof(AbpAspNetCoreAuthenticationJwtBearerModule),
+    typeof(AbpAuthorizationOrganizationUnitsModule),
     typeof(AbpAuditLoggingElasticsearchModule),
     typeof(AbpEmailingExceptionHandlingModule),
     typeof(AbpCAPEventBusModule),
diff --git a/aspnet-core/services/LY.MicroService.identityServer.HttpApi.Host/LY.MicroService.identityServer.HttpApi.Host.csproj b/aspnet-core/services/LY.MicroService.identityServer.HttpApi.Host/LY.MicroService.identityServer.HttpApi.Host.csproj
index 5f221fe47..47d3f1560 100644
--- a/aspnet-core/services/LY.MicroService.identityServer.HttpApi.Host/LY.MicroService.identityServer.HttpApi.Host.csproj
+++ b/aspnet-core/services/LY.MicroService.identityServer.HttpApi.Host/LY.MicroService.identityServer.HttpApi.Host.csproj
@@ -55,6 +55,7 @@
 		<ProjectReference Include="..\..\modules\account\LINGYUN.Abp.Account.Application\LINGYUN.Abp.Account.Application.csproj" />
 		<ProjectReference Include="..\..\modules\account\LINGYUN.Abp.Account.HttpApi\LINGYUN.Abp.Account.HttpApi.csproj" />
 		<ProjectReference Include="..\..\modules\auditing\LINGYUN.Abp.AuditLogging.Elasticsearch\LINGYUN.Abp.AuditLogging.Elasticsearch.csproj" />
+		<ProjectReference Include="..\..\modules\authorization\LINGYUN.Abp.Authorization.OrganizationUnits\LINGYUN.Abp.Authorization.OrganizationUnits.csproj" />
 		<ProjectReference Include="..\..\modules\common\LINGYUN.Abp.AspNetCore.HttpOverrides\LINGYUN.Abp.AspNetCore.HttpOverrides.csproj" />
 		<ProjectReference Include="..\..\modules\common\LINGYUN.Abp.EventBus.CAP\LINGYUN.Abp.EventBus.CAP.csproj" />
 		<ProjectReference Include="..\..\modules\common\LINGYUN.Abp.ExceptionHandling.Emailing\LINGYUN.Abp.ExceptionHandling.Emailing.csproj" />
diff --git a/aspnet-core/services/LY.MicroService.identityServer/IdentityServerModule.cs b/aspnet-core/services/LY.MicroService.identityServer/IdentityServerModule.cs
index a80422d65..262f777e7 100644
--- a/aspnet-core/services/LY.MicroService.identityServer/IdentityServerModule.cs
+++ b/aspnet-core/services/LY.MicroService.identityServer/IdentityServerModule.cs
@@ -4,12 +4,12 @@ using LINGYUN.Abp.AuditLogging.Elasticsearch;
 using LINGYUN.Abp.Data.DbMigrator;
 using LINGYUN.Abp.EventBus.CAP;
 using LINGYUN.Abp.Identity.EntityFrameworkCore;
+using LINGYUN.Abp.Identity.OrganizaztionUnits;
 using LINGYUN.Abp.IdentityServer;
 using LINGYUN.Abp.IdentityServer.EntityFrameworkCore;
 using LINGYUN.Abp.IdentityServer.QQ;
 using LINGYUN.Abp.IdentityServer.WeChat;
 using LINGYUN.Abp.Localization.CultureMap;
-using LINGYUN.Abp.PermissionManagement.Identity;
 using LINGYUN.Abp.Saas.EntityFrameworkCore;
 using LINGYUN.Abp.Serilog.Enrichers.Application;
 using LINGYUN.Abp.Serilog.Enrichers.UniqueId;
@@ -33,6 +33,7 @@ using Volo.Abp.Identity;
 using Volo.Abp.IdentityServer.Jwt;
 using Volo.Abp.Modularity;
 using Volo.Abp.PermissionManagement.EntityFrameworkCore;
+using Volo.Abp.PermissionManagement.Identity;
 using Volo.Abp.SettingManagement.EntityFrameworkCore;
 
 namespace LY.MicroService.IdentityServer;
@@ -54,6 +55,7 @@ namespace LY.MicroService.IdentityServer;
     typeof(AbpIdentityServerSmsValidatorModule),
     typeof(AbpIdentityServerWeChatModule),
     typeof(AbpIdentityServerQQModule),
+    typeof(AbpIdentityOrganizaztionUnitsModule),
     typeof(AbpPermissionManagementDomainIdentityModule),
     typeof(AbpPermissionManagementEntityFrameworkCoreModule),
     typeof(AbpSettingManagementEntityFrameworkCoreModule),
diff --git a/aspnet-core/services/LY.MicroService.identityServer/LY.MicroService.IdentityServer.csproj b/aspnet-core/services/LY.MicroService.identityServer/LY.MicroService.IdentityServer.csproj
index 5c975abed..d8d3b7410 100644
--- a/aspnet-core/services/LY.MicroService.identityServer/LY.MicroService.IdentityServer.csproj
+++ b/aspnet-core/services/LY.MicroService.identityServer/LY.MicroService.IdentityServer.csproj
@@ -39,6 +39,7 @@
 		<PackageReference Include="Volo.Abp.EntityFrameworkCore.MySQL" Version="$(VoloAbpPackageVersion)" />
 		<PackageReference Include="Volo.Abp.Identity.AspNetCore" Version="$(VoloAbpPackageVersion)" />
 		<PackageReference Include="Volo.Abp.AspNetCore.MultiTenancy" Version="$(VoloAbpPackageVersion)" />
+		<PackageReference Include="Volo.Abp.PermissionManagement.Domain.Identity" Version="$(VoloAbpPackageVersion)" />
 		<PackageReference Include="Volo.Abp.FeatureManagement.EntityFrameworkCore" Version="$(VoloAbpPackageVersion)" />
 		<PackageReference Include="Volo.Abp.SettingManagement.EntityFrameworkCore" Version="$(VoloAbpPackageVersion)" />
 		<PackageReference Include="Volo.Abp.PermissionManagement.EntityFrameworkCore" Version="$(VoloAbpPackageVersion)" />
@@ -46,6 +47,7 @@
 
 	<ItemGroup>
 		<ProjectReference Include="..\..\modules\auditing\LINGYUN.Abp.AuditLogging.Elasticsearch\LINGYUN.Abp.AuditLogging.Elasticsearch.csproj" />
+		<ProjectReference Include="..\..\modules\authorization\LINGYUN.Abp.Identity.OrganizaztionUnits\LINGYUN.Abp.Identity.OrganizaztionUnits.csproj" />
 		<ProjectReference Include="..\..\modules\common\LINGYUN.Abp.AspNetCore.HttpOverrides\LINGYUN.Abp.AspNetCore.HttpOverrides.csproj" />
 		<ProjectReference Include="..\..\modules\common\LINGYUN.Abp.Data.DbMigrator\LINGYUN.Abp.Data.DbMigrator.csproj" />
 		<ProjectReference Include="..\..\modules\common\LINGYUN.Abp.EventBus.CAP\LINGYUN.Abp.EventBus.CAP.csproj" />
@@ -55,7 +57,6 @@
 		<ProjectReference Include="..\..\modules\identityServer\LINGYUN.Abp.IdentityServer.SmsValidator\LINGYUN.Abp.IdentityServer.SmsValidator.csproj" />
 		<ProjectReference Include="..\..\modules\identityServer\LINGYUN.Abp.IdentityServer.WeChat\LINGYUN.Abp.IdentityServer.WeChat.csproj" />
 		<ProjectReference Include="..\..\modules\identity\LINGYUN.Abp.Identity.EntityFrameworkCore\LINGYUN.Abp.Identity.EntityFrameworkCore.csproj" />
-		<ProjectReference Include="..\..\modules\identity\LINGYUN.Abp.PermissionManagement.Domain.Identity\LINGYUN.Abp.PermissionManagement.Domain.Identity.csproj" />
 		<ProjectReference Include="..\..\modules\localization\LINGYUN.Abp.Localization.CultureMap\LINGYUN.Abp.Localization.CultureMap.csproj" />
 		<ProjectReference Include="..\..\modules\logging\LINGYUN.Abp.Serilog.Enrichers.Application\LINGYUN.Abp.Serilog.Enrichers.Application.csproj" />
 		<ProjectReference Include="..\..\modules\logging\LINGYUN.Abp.Serilog.Enrichers.UniqueId\LINGYUN.Abp.Serilog.Enrichers.UniqueId.csproj" />