diff --git a/aspnet-core/LINGYUN.MicroService.sln b/aspnet-core/LINGYUN.MicroService.sln
index d8bd1f324..af232f52f 100644
--- a/aspnet-core/LINGYUN.MicroService.sln
+++ b/aspnet-core/LINGYUN.MicroService.sln
@@ -205,9 +205,13 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "LINGYUN.Abp.FileManagement.
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "LINGYUN.Platform.HttpApi.Host", "services\platform\LINGYUN.Platform.HttpApi.Host\LINGYUN.Platform.HttpApi.Host.csproj", "{372123C3-3AFD-42C8-BB80-778322EA72C3}"
 EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "LINGYUN.Abp.IdentityServer.Domain", "modules\identityServer\LINGYUN.Abp.IdentityServer.Domain\LINGYUN.Abp.IdentityServer.Domain.csproj", "{F359AAA1-C854-444A-88F2-1C0D8A07F864}"
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "LINGYUN.Abp.IdentityServer.Domain", "modules\identityServer\LINGYUN.Abp.IdentityServer.Domain\LINGYUN.Abp.IdentityServer.Domain.csproj", "{F359AAA1-C854-444A-88F2-1C0D8A07F864}"
 EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "LINGYUN.Abp.IdentityServer.EntityFrameworkCore", "modules\identityServer\LINGYUN.Abp.IdentityServer.EntityFrameworkCore\LINGYUN.Abp.IdentityServer.EntityFrameworkCore.csproj", "{5D0ED1FC-3A7C-4531-9512-832E73AD9555}"
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "LINGYUN.Abp.IdentityServer.EntityFrameworkCore", "modules\identityServer\LINGYUN.Abp.IdentityServer.EntityFrameworkCore\LINGYUN.Abp.IdentityServer.EntityFrameworkCore.csproj", "{5D0ED1FC-3A7C-4531-9512-832E73AD9555}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "LINGYUN.Abp.Identity.Domain", "modules\identity\LINGYUN.Abp.Identity.Domain\LINGYUN.Abp.Identity.Domain.csproj", "{2BF7FB73-0C62-4ECF-99F0-0583855D2777}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "LINGYUN.Abp.Identity.EntityFrameworkCore", "modules\identity\LINGYUN.Abp.Identity.EntityFrameworkCore\LINGYUN.Abp.Identity.EntityFrameworkCore.csproj", "{6FE7E243-2D99-4567-8786-6C9283D608EF}"
 EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
@@ -555,6 +559,14 @@ Global
 		{5D0ED1FC-3A7C-4531-9512-832E73AD9555}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{5D0ED1FC-3A7C-4531-9512-832E73AD9555}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{5D0ED1FC-3A7C-4531-9512-832E73AD9555}.Release|Any CPU.Build.0 = Release|Any CPU
+		{2BF7FB73-0C62-4ECF-99F0-0583855D2777}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{2BF7FB73-0C62-4ECF-99F0-0583855D2777}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{2BF7FB73-0C62-4ECF-99F0-0583855D2777}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{2BF7FB73-0C62-4ECF-99F0-0583855D2777}.Release|Any CPU.Build.0 = Release|Any CPU
+		{6FE7E243-2D99-4567-8786-6C9283D608EF}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{6FE7E243-2D99-4567-8786-6C9283D608EF}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{6FE7E243-2D99-4567-8786-6C9283D608EF}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{6FE7E243-2D99-4567-8786-6C9283D608EF}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -660,6 +672,8 @@ Global
 		{372123C3-3AFD-42C8-BB80-778322EA72C3} = {E5D1B78A-1A8F-4D52-BF99-A4A863ADE898}
 		{F359AAA1-C854-444A-88F2-1C0D8A07F864} = {0439B173-F41E-4CE0-A44A-CCB70328F272}
 		{5D0ED1FC-3A7C-4531-9512-832E73AD9555} = {0439B173-F41E-4CE0-A44A-CCB70328F272}
+		{2BF7FB73-0C62-4ECF-99F0-0583855D2777} = {52B5D4F7-237B-4E0A-A167-68442164F70A}
+		{6FE7E243-2D99-4567-8786-6C9283D608EF} = {52B5D4F7-237B-4E0A-A167-68442164F70A}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {C95FDF91-16F2-4A8B-A4BE-0E62D1B66718}
diff --git a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/Dto/IdentityRoleAddOrRemoveOrganizationUnitDto.cs b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/Dto/IdentityRoleAddOrRemoveOrganizationUnitDto.cs
new file mode 100644
index 000000000..195331e60
--- /dev/null
+++ b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/Dto/IdentityRoleAddOrRemoveOrganizationUnitDto.cs
@@ -0,0 +1,11 @@
+using System;
+using System.ComponentModel.DataAnnotations;
+
+namespace LINGYUN.Abp.Identity
+{
+    public class IdentityRoleAddOrRemoveOrganizationUnitDto
+    {
+        [Required]
+        public Guid[] OrganizationUnitIds { get; set; }
+    }
+}
diff --git a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/Dto/IdentityUserOrganizationUnitUpdateDto.cs b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/Dto/IdentityUserOrganizationUnitUpdateDto.cs
new file mode 100644
index 000000000..f04c8cb36
--- /dev/null
+++ b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/Dto/IdentityUserOrganizationUnitUpdateDto.cs
@@ -0,0 +1,11 @@
+using System;
+using System.ComponentModel.DataAnnotations;
+
+namespace LINGYUN.Abp.Identity
+{
+    public class IdentityUserOrganizationUnitUpdateDto
+    {
+        [Required]
+        public Guid[] OrganizationUnitIds { get; set; }
+    }
+}
diff --git a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/IIdentityRoleAppService.cs b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/IIdentityRoleAppService.cs
new file mode 100644
index 000000000..d70796824
--- /dev/null
+++ b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/IIdentityRoleAppService.cs
@@ -0,0 +1,13 @@
+using System;
+using System.Threading.Tasks;
+using Volo.Abp.Application.Dtos;
+using Volo.Abp.Application.Services;
+
+namespace LINGYUN.Abp.Identity
+{
+    public interface IIdentityRoleAppService : IApplicationService
+    {
+        Task<ListResultDto<OrganizationUnitDto>> GetOrganizationUnitsAsync(Guid id);
+        Task SetOrganizationUnitsAsync(Guid id, IdentityRoleAddOrRemoveOrganizationUnitDto input);
+    }
+}
diff --git a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/IIdentityUserAppService.cs b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/IIdentityUserAppService.cs
new file mode 100644
index 000000000..b21116f4f
--- /dev/null
+++ b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/IIdentityUserAppService.cs
@@ -0,0 +1,13 @@
+using System;
+using System.Threading.Tasks;
+using Volo.Abp.Application.Dtos;
+using Volo.Abp.Application.Services;
+
+namespace LINGYUN.Abp.Identity
+{
+    public interface IIdentityUserAppService : IApplicationService
+    {
+        Task<ListResultDto<OrganizationUnitDto>> GetOrganizationUnitsAsync(Guid id);
+        Task UpdateOrganizationUnitsAsync(Guid id, IdentityUserOrganizationUnitUpdateDto input);
+    }
+}
diff --git a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/IOrganizationUnitAppService.cs b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/IOrganizationUnitAppService.cs
index 9991efcc2..15c9bc56f 100644
--- a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/IOrganizationUnitAppService.cs
+++ b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/IOrganizationUnitAppService.cs
@@ -1,5 +1,4 @@
 using System;
-using System.ComponentModel.DataAnnotations;
 using System.Threading.Tasks;
 using Volo.Abp.Application.Dtos;
 using Volo.Abp.Application.Services;
@@ -27,13 +26,5 @@ namespace LINGYUN.Abp.Identity
         Task<PagedResultDto<IdentityRoleDto>> GetRolesAsync(OrganizationUnitGetRoleByPagedDto input);
 
         Task<ListResultDto<IdentityUserDto>> GetUsersAsync(OrganizationUnitGetUserDto input);
-
-        Task AddRoleAsync(OrganizationUnitDtoAddOrRemoveRoleDto input);
-
-        Task RemoveRoleAsync(OrganizationUnitDtoAddOrRemoveRoleDto input);
-
-        Task AddUserAsync(OrganizationUnitDtoAddOrRemoveUserDto input);
-
-        Task RemoveUserAsync(OrganizationUnitDtoAddOrRemoveUserDto input);
     }
 }
diff --git a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/IdentityPermissionDefinitionProvider.cs b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/IdentityPermissionDefinitionProvider.cs
index 38a6dbb28..3d4787326 100644
--- a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/IdentityPermissionDefinitionProvider.cs
+++ b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/IdentityPermissionDefinitionProvider.cs
@@ -11,6 +11,18 @@ namespace LINGYUN.Abp.Identity
             var identityGroup = context.GetGroupOrNull(Volo.Abp.Identity.IdentityPermissions.GroupName);
             if (identityGroup != null)
             {
+                var userPermission = identityGroup.GetPermissionOrNull(Volo.Abp.Identity.IdentityPermissions.Users.Default);
+                if (userPermission != null)
+                {
+                    userPermission.AddChild(IdentityPermissions.Users.ManageOrganizationUnits, L("Permission:ManageOrganizationUnits"));
+                }
+
+                var rolePermission = identityGroup.GetPermissionOrNull(Volo.Abp.Identity.IdentityPermissions.Roles.Default);
+                if (rolePermission != null)
+                {
+                    rolePermission.AddChild(IdentityPermissions.Roles.ManageOrganizationUnits, L("Permission:ManageOrganizationUnits"));
+                }
+
                 var origanizationUnitPermission = identityGroup.AddPermission(IdentityPermissions.OrganizationUnits.Default, L("Permission:OrganizationUnitManagement"));
                 origanizationUnitPermission.AddChild(IdentityPermissions.OrganizationUnits.Create, L("Permission:Create"));
                 origanizationUnitPermission.AddChild(IdentityPermissions.OrganizationUnits.Update, L("Permission:Edit"));
diff --git a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/IdentityPermissions.cs b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/IdentityPermissions.cs
index 1200ce27a..3fc7ae408 100644
--- a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/IdentityPermissions.cs
+++ b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/IdentityPermissions.cs
@@ -4,6 +4,16 @@ namespace LINGYUN.Abp.Identity
 {
     public class IdentityPermissions
     {
+        public static class Roles
+        {
+            public const string ManageOrganizationUnits = Volo.Abp.Identity.IdentityPermissions.Roles.Default + ".ManageOrganizationUnits";
+        }
+
+        public static class Users
+        {
+            public const string ManageOrganizationUnits = Volo.Abp.Identity.IdentityPermissions.Users.Default + ".ManageOrganizationUnits";
+        }
+
         public static class OrganizationUnits
         {
             public const string Default = Volo.Abp.Identity.IdentityPermissions.GroupName + ".OrganizationUnits";
diff --git a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/Localization/en.json b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/Localization/en.json
index f1c21169c..54f80defc 100644
--- a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/Localization/en.json
+++ b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/Localization/en.json
@@ -3,6 +3,7 @@
   "texts": {
     "Permission:OrganizationUnitManagement": "Organization unit management",
     "Permission:ChangeRoles": "Change roles",
-    "Permission:ChangeUsers": "Change users"
+    "Permission:ChangeUsers": "Change users",
+    "Permission:ManageOrganizationUnits": "Management organization units"
   }
 }
\ No newline at end of file
diff --git a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/Localization/zh-Hans.json b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/Localization/zh-Hans.json
index 69bbbb26b..dba0b9432 100644
--- a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/Localization/zh-Hans.json
+++ b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application.Contracts/LINGYUN/Abp/Identity/Localization/zh-Hans.json
@@ -3,6 +3,7 @@
   "texts": {
     "Permission:OrganizationUnitManagement": "组织机构管理",
     "Permission:ChangeRoles": "更改角色",
-    "Permission:ChangeUsers": "更改用户"
+    "Permission:ChangeUsers": "更改用户",
+    "Permission:ManageOrganizationUnits": "管理组织机构"
   }
 }
\ No newline at end of file
diff --git a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application/LINGYUN.Abp.Identity.Application.csproj b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application/LINGYUN.Abp.Identity.Application.csproj
index fbb9fc057..4269ad7ba 100644
--- a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application/LINGYUN.Abp.Identity.Application.csproj
+++ b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application/LINGYUN.Abp.Identity.Application.csproj
@@ -11,6 +11,7 @@
 
   <ItemGroup>
     <ProjectReference Include="..\..\identity\LINGYUN.Abp.Identity.Application.Contracts\LINGYUN.Abp.Identity.Application.Contracts.csproj" />
+    <ProjectReference Include="..\LINGYUN.Abp.Identity.Domain\LINGYUN.Abp.Identity.Domain.csproj" />
   </ItemGroup>
 
 </Project>
diff --git a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application/LINGYUN/Abp/Identity/IdentityRoleAppService.cs b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application/LINGYUN/Abp/Identity/IdentityRoleAppService.cs
new file mode 100644
index 000000000..07460784c
--- /dev/null
+++ b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application/LINGYUN/Abp/Identity/IdentityRoleAppService.cs
@@ -0,0 +1,53 @@
+using Microsoft.AspNetCore.Authorization;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+using Volo.Abp.Application.Dtos;
+using Volo.Abp.Identity;
+
+namespace LINGYUN.Abp.Identity
+{
+    [Authorize(IdentityPermissions.Roles.ManageOrganizationUnits)]
+    public class IdentityRoleAppService : IdentityAppServiceBase, IIdentityRoleAppService
+    {
+        protected IIdentityRoleRepository IdentityRoleRepository { get; }
+        protected OrganizationUnitManager OrganizationUnitManager { get; }
+        protected IOrganizationUnitRepository OrganizationUnitRepository { get; }
+        public IdentityRoleAppService(
+            IIdentityRoleRepository roleRepository,
+            OrganizationUnitManager organizationUnitManager)
+        {
+            OrganizationUnitManager = organizationUnitManager;
+            IdentityRoleRepository = roleRepository;
+        }
+
+        public virtual async Task<ListResultDto<OrganizationUnitDto>> GetOrganizationUnitsAsync(Guid id)
+        {
+            var origanizationUnits = await IdentityRoleRepository.GetOrganizationUnitsAsync(id);
+
+            return new ListResultDto<OrganizationUnitDto>(
+                ObjectMapper.Map<List<OrganizationUnit>, List<OrganizationUnitDto>>(origanizationUnits));
+        }
+
+        public virtual async Task SetOrganizationUnitsAsync(Guid id, IdentityRoleAddOrRemoveOrganizationUnitDto input)
+        {
+            var origanizationUnits = await IdentityRoleRepository.GetOrganizationUnitsAsync(id, true);
+
+            var notInRoleOuIds = input.OrganizationUnitIds.Where(ouid => !origanizationUnits.Any(ou => ou.Id.Equals(ouid)));
+
+            foreach (var ouId in notInRoleOuIds)
+            {
+                await OrganizationUnitManager.AddRoleToOrganizationUnitAsync(id, ouId);
+            }
+
+            var removeRoleOriganzationUnits = origanizationUnits.Where(ou => !input.OrganizationUnitIds.Contains(ou.Id));
+            foreach (var origanzationUnit in removeRoleOriganzationUnits)
+            {
+                origanzationUnit.RemoveRole(id);
+            }
+
+            await CurrentUnitOfWork.SaveChangesAsync();
+        }
+    }
+}
diff --git a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application/LINGYUN/Abp/Identity/IdentityUserAppService.cs b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application/LINGYUN/Abp/Identity/IdentityUserAppService.cs
new file mode 100644
index 000000000..090a950fc
--- /dev/null
+++ b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application/LINGYUN/Abp/Identity/IdentityUserAppService.cs
@@ -0,0 +1,39 @@
+using Microsoft.AspNetCore.Authorization;
+using System;
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using Volo.Abp.Application.Dtos;
+using Volo.Abp.Identity;
+
+namespace LINGYUN.Abp.Identity
+{
+    [Authorize(IdentityPermissions.Users.ManageOrganizationUnits)]
+    public class IdentityUserAppService : IdentityAppServiceBase, IIdentityUserAppService
+    {
+        protected IdentityUserManager UserManager { get; }
+        public IdentityUserAppService(
+            IdentityUserManager userManager) 
+        {
+            UserManager = userManager;
+        }
+
+        public virtual async Task<ListResultDto<OrganizationUnitDto>> GetOrganizationUnitsAsync(Guid id)
+        {
+            var user = await UserManager.GetByIdAsync(id);
+
+            var origanizationUnits =  await UserManager.GetOrganizationUnitsAsync(user);
+
+            return new ListResultDto<OrganizationUnitDto>(
+                ObjectMapper.Map<List<OrganizationUnit>, List<OrganizationUnitDto>>(origanizationUnits));
+        }
+
+        public virtual async Task UpdateOrganizationUnitsAsync(Guid id, IdentityUserOrganizationUnitUpdateDto input)
+        {
+            var user = await UserManager.GetByIdAsync(id);
+
+            await UserManager.SetOrganizationUnitsAsync(user, input.OrganizationUnitIds);
+
+            await CurrentUnitOfWork.SaveChangesAsync();
+        }
+    }
+}
diff --git a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application/LINGYUN/Abp/Identity/OrganizationUnitAppService.cs b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application/LINGYUN/Abp/Identity/OrganizationUnitAppService.cs
index 17bb80e91..f825d0567 100644
--- a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application/LINGYUN/Abp/Identity/OrganizationUnitAppService.cs
+++ b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Application/LINGYUN/Abp/Identity/OrganizationUnitAppService.cs
@@ -146,53 +146,5 @@ namespace LINGYUN.Abp.Identity
 
             return ObjectMapper.Map<OrganizationUnit, OrganizationUnitDto>(origanizationUnit);
         }
-
-        [Authorize(IdentityPermissions.OrganizationUnits.ManageRoles)]
-        public virtual async Task AddRoleAsync(OrganizationUnitDtoAddOrRemoveRoleDto input)
-        {
-            var origanizationUnit = await OrganizationUnitRepository.GetAsync(input.Id);
-            if (!origanizationUnit.IsInRole(input.RoleId))
-            {
-                origanizationUnit.AddRole(input.RoleId);
-                await OrganizationUnitManager.UpdateAsync(origanizationUnit);
-                await CurrentUnitOfWork.SaveChangesAsync();
-            }
-        }
-
-        [Authorize(IdentityPermissions.OrganizationUnits.ManageRoles)]
-        public virtual async Task RemoveRoleAsync(OrganizationUnitDtoAddOrRemoveRoleDto input)
-        {
-            var origanizationUnit = await OrganizationUnitRepository.GetAsync(input.Id);
-            if (origanizationUnit.IsInRole(input.RoleId))
-            {
-                origanizationUnit.RemoveRole(input.RoleId);
-                await OrganizationUnitManager.UpdateAsync(origanizationUnit);
-                await CurrentUnitOfWork.SaveChangesAsync();
-            }
-        }
-
-        [Authorize(IdentityPermissions.OrganizationUnits.ManageUsers)]
-        public virtual async Task AddUserAsync(OrganizationUnitDtoAddOrRemoveUserDto input)
-        {
-            var identityUser = await UserRepository.GetAsync(input.UserId);
-            var origanizationUnit = await OrganizationUnitRepository.GetAsync(input.Id);
-            if (!identityUser.IsInOrganizationUnit(input.Id))
-            {
-                await UserManager.AddToOrganizationUnitAsync(identityUser, origanizationUnit);
-                await CurrentUnitOfWork.SaveChangesAsync();
-            }
-        }
-
-        [Authorize(IdentityPermissions.OrganizationUnits.ManageUsers)]
-        public virtual async Task RemoveUserAsync(OrganizationUnitDtoAddOrRemoveUserDto input)
-        {
-            var identityUser = await UserRepository.GetAsync(input.UserId);
-            var origanizationUnit = await OrganizationUnitRepository.GetAsync(input.Id);
-            if (identityUser.IsInOrganizationUnit(input.Id))
-            {
-                await UserManager.RemoveFromOrganizationUnitAsync(identityUser, origanizationUnit);
-                await CurrentUnitOfWork.SaveChangesAsync();
-            }
-        }
     }
 }
diff --git a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Domain/LINGYUN.Abp.Identity.Domain.csproj b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Domain/LINGYUN.Abp.Identity.Domain.csproj
new file mode 100644
index 000000000..8a6916da6
--- /dev/null
+++ b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Domain/LINGYUN.Abp.Identity.Domain.csproj
@@ -0,0 +1,12 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>netstandard2.0</TargetFramework>
+    <RootNamespace />
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Volo.Abp.Identity.Domain" Version="3.0.0" />
+  </ItemGroup>
+
+</Project>
diff --git a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Domain/LINGYUN/Abp/Identity/AbpIdentityDomainModule.cs b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Domain/LINGYUN/Abp/Identity/AbpIdentityDomainModule.cs
new file mode 100644
index 000000000..9004ff3f5
--- /dev/null
+++ b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Domain/LINGYUN/Abp/Identity/AbpIdentityDomainModule.cs
@@ -0,0 +1,9 @@
+using Volo.Abp.Modularity;
+
+namespace LINGYUN.Abp.Identity
+{
+    [DependsOn(typeof(Volo.Abp.Identity.AbpIdentityDomainModule))]
+    public class AbpIdentityDomainModule : AbpModule
+    {
+    }
+}
diff --git a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Domain/LINGYUN/Abp/Identity/IIdentityRoleRepository.cs b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Domain/LINGYUN/Abp/Identity/IIdentityRoleRepository.cs
new file mode 100644
index 000000000..38ccc0d18
--- /dev/null
+++ b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.Domain/LINGYUN/Abp/Identity/IIdentityRoleRepository.cs
@@ -0,0 +1,30 @@
+using System;
+using System.Collections.Generic;
+using System.Threading;
+using System.Threading.Tasks;
+using Volo.Abp.Identity;
+
+namespace LINGYUN.Abp.Identity
+{
+    public interface IIdentityRoleRepository : Volo.Abp.Identity.IIdentityRoleRepository
+    {
+        Task<List<OrganizationUnit>> GetOrganizationUnitsAsync(
+            Guid id,
+            bool includeDetails = false,
+            CancellationToken cancellationToken = default);
+
+        Task<List<IdentityRole>> GetRolesInOrganizationUnitAsync(
+            Guid organizationUnitId,
+            CancellationToken cancellationToken = default
+            );
+        Task<List<IdentityRole>> GetRolesInOrganizationsListAsync(
+            List<Guid> organizationUnitIds,
+            CancellationToken cancellationToken = default
+            );
+
+        Task<List<IdentityRole>> GetRolesInOrganizationUnitWithChildrenAsync(
+            string code,
+            CancellationToken cancellationToken = default
+            );
+    }
+}
diff --git a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.EntityFrameworkCore/LINGYUN.Abp.Identity.EntityFrameworkCore.csproj b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.EntityFrameworkCore/LINGYUN.Abp.Identity.EntityFrameworkCore.csproj
new file mode 100644
index 000000000..0853f4327
--- /dev/null
+++ b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.EntityFrameworkCore/LINGYUN.Abp.Identity.EntityFrameworkCore.csproj
@@ -0,0 +1,16 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>netstandard2.0</TargetFramework>
+    <RootNamespace />
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Volo.Abp.Identity.EntityFrameworkCore" Version="3.0.0" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\LINGYUN.Abp.Identity.Domain\LINGYUN.Abp.Identity.Domain.csproj" />
+  </ItemGroup>
+
+</Project>
diff --git a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.EntityFrameworkCore/LINGYUN/Abp/Identity/EntityFrameworkCore/AbpIdentityEntityFrameworkCoreModule.cs b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.EntityFrameworkCore/LINGYUN/Abp/Identity/EntityFrameworkCore/AbpIdentityEntityFrameworkCoreModule.cs
new file mode 100644
index 000000000..ed033f359
--- /dev/null
+++ b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.EntityFrameworkCore/LINGYUN/Abp/Identity/EntityFrameworkCore/AbpIdentityEntityFrameworkCoreModule.cs
@@ -0,0 +1,20 @@
+using Microsoft.Extensions.DependencyInjection;
+using Volo.Abp.Identity;
+using Volo.Abp.Identity.EntityFrameworkCore;
+using Volo.Abp.Modularity;
+
+namespace LINGYUN.Abp.Identity.EntityFrameworkCore
+{
+    [DependsOn(typeof(LINGYUN.Abp.Identity.AbpIdentityDomainModule))]
+    [DependsOn(typeof(Volo.Abp.Identity.EntityFrameworkCore.AbpIdentityEntityFrameworkCoreModule))]
+    public class AbpIdentityEntityFrameworkCoreModule : AbpModule
+    {
+        public override void ConfigureServices(ServiceConfigurationContext context)
+        {
+            context.Services.AddAbpDbContext<IdentityDbContext>(options =>
+            {
+                options.AddRepository<IdentityRole, EfCoreIdentityRoleRepository>();
+            });
+        }
+    }
+}
diff --git a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.EntityFrameworkCore/LINGYUN/Abp/Identity/EntityFrameworkCore/EfCoreIdentityRoleRepository.cs b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.EntityFrameworkCore/LINGYUN/Abp/Identity/EntityFrameworkCore/EfCoreIdentityRoleRepository.cs
new file mode 100644
index 000000000..245d0fac9
--- /dev/null
+++ b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.EntityFrameworkCore/LINGYUN/Abp/Identity/EntityFrameworkCore/EfCoreIdentityRoleRepository.cs
@@ -0,0 +1,70 @@
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Internal;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Linq.Dynamic.Core;
+using System.Threading;
+using System.Threading.Tasks;
+using Volo.Abp.EntityFrameworkCore;
+using Volo.Abp.Identity;
+using Volo.Abp.Identity.EntityFrameworkCore;
+
+namespace LINGYUN.Abp.Identity.EntityFrameworkCore
+{
+    public class EfCoreIdentityRoleRepository : Volo.Abp.Identity.EntityFrameworkCore.EfCoreIdentityRoleRepository, IIdentityRoleRepository
+    {
+        public EfCoreIdentityRoleRepository(
+            IDbContextProvider<IIdentityDbContext> dbContextProvider) 
+            : base(dbContextProvider)
+        {
+        }
+
+        public virtual async Task<List<OrganizationUnit>> GetOrganizationUnitsAsync(
+            Guid id, 
+            bool includeDetails = false,
+            CancellationToken cancellationToken = default)
+        {
+            var query = from roleOU in DbContext.Set<OrganizationUnitRole>()
+                        join ou in DbContext.OrganizationUnits.IncludeDetails(includeDetails) on roleOU.OrganizationUnitId equals ou.Id
+                        where roleOU.RoleId == id
+                        select ou;
+
+            return await query.ToListAsync(GetCancellationToken(cancellationToken));
+        }
+
+        public virtual async Task<List<IdentityRole>> GetRolesInOrganizationsListAsync(
+            List<Guid> organizationUnitIds, 
+            CancellationToken cancellationToken = default)
+        {
+            var query = from roleOu in DbContext.Set<OrganizationUnitRole>()
+                        join user in DbSet on roleOu.RoleId equals user.Id
+                        where organizationUnitIds.Contains(roleOu.OrganizationUnitId)
+                        select user;
+            return await query.ToListAsync(GetCancellationToken(cancellationToken));
+        }
+
+        public virtual async Task<List<IdentityRole>> GetRolesInOrganizationUnitAsync(
+            Guid organizationUnitId, 
+            CancellationToken cancellationToken = default)
+        {
+            var query = from roleOu in DbContext.Set<OrganizationUnitRole>()
+                        join user in DbSet on roleOu.RoleId equals user.Id
+                        where roleOu.OrganizationUnitId == organizationUnitId
+                        select user;
+            return await query.ToListAsync(GetCancellationToken(cancellationToken));
+        }
+
+        public virtual async Task<List<IdentityRole>> GetRolesInOrganizationUnitWithChildrenAsync(
+            string code, 
+            CancellationToken cancellationToken = default)
+        {
+            var query = from roleOU in DbContext.Set<OrganizationUnitRole>()
+                        join user in DbSet on roleOU.RoleId equals user.Id
+                        join ou in DbContext.Set<OrganizationUnit>() on roleOU.OrganizationUnitId equals ou.Id
+                        where ou.Code.StartsWith(code)
+                        select user;
+            return await query.ToListAsync(GetCancellationToken(cancellationToken));
+        }
+    }
+}
diff --git a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.HttpApi/LINGYUN/Abp/Identity/IIdentityRoleController.cs b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.HttpApi/LINGYUN/Abp/Identity/IIdentityRoleController.cs
new file mode 100644
index 000000000..38e4a6730
--- /dev/null
+++ b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.HttpApi/LINGYUN/Abp/Identity/IIdentityRoleController.cs
@@ -0,0 +1,38 @@
+using Microsoft.AspNetCore.Mvc;
+using System;
+using System.Threading.Tasks;
+using Volo.Abp;
+using Volo.Abp.Application.Dtos;
+using Volo.Abp.AspNetCore.Mvc;
+using Volo.Abp.Identity;
+
+namespace LINGYUN.Abp.Identity
+{
+    [RemoteService(true, Name = IdentityRemoteServiceConsts.RemoteServiceName)]
+    [Area("identity")]
+    [ControllerName("Role")]
+    [Route("api/identity/roles")]
+    public class IIdentityRoleController : AbpController, IIdentityRoleAppService
+    {
+        protected IIdentityRoleAppService RoleAppService { get; }
+        public IIdentityRoleController(
+            IIdentityRoleAppService roleAppService) 
+        {
+            RoleAppService = roleAppService;
+        }
+
+        [HttpGet]
+        [Route("organization-units/{id}")]
+        public virtual async Task<ListResultDto<OrganizationUnitDto>> GetOrganizationUnitsAsync(Guid id)
+        {
+            return await RoleAppService.GetOrganizationUnitsAsync(id);
+        }
+
+        [HttpPut]
+        [Route("organization-units/{id}")]
+        public virtual async Task SetOrganizationUnitsAsync(Guid id, IdentityRoleAddOrRemoveOrganizationUnitDto input)
+        {
+            await RoleAppService.SetOrganizationUnitsAsync(id, input);
+        }
+    }
+}
diff --git a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.HttpApi/LINGYUN/Abp/Identity/IIdentityUserController.cs b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.HttpApi/LINGYUN/Abp/Identity/IIdentityUserController.cs
new file mode 100644
index 000000000..6a904521d
--- /dev/null
+++ b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.HttpApi/LINGYUN/Abp/Identity/IIdentityUserController.cs
@@ -0,0 +1,38 @@
+using Microsoft.AspNetCore.Mvc;
+using System;
+using System.Threading.Tasks;
+using Volo.Abp;
+using Volo.Abp.Application.Dtos;
+using Volo.Abp.AspNetCore.Mvc;
+using Volo.Abp.Identity;
+
+namespace LINGYUN.Abp.Identity
+{
+    [RemoteService(true, Name = IdentityRemoteServiceConsts.RemoteServiceName)]
+    [Area("identity")]
+    [ControllerName("User")]
+    [Route("api/identity/users")]
+    public class IIdentityUserController : AbpController, IIdentityUserAppService
+    {
+        protected IIdentityUserAppService UserAppService { get; }
+        public IIdentityUserController(
+            IIdentityUserAppService userAppService)
+        {
+            UserAppService = userAppService;
+        }
+
+        [HttpGet]
+        [Route("organization-units/{id}")]
+        public virtual async Task<ListResultDto<OrganizationUnitDto>> GetOrganizationUnitsAsync(Guid id)
+        {
+            return await UserAppService.GetOrganizationUnitsAsync(id);
+        }
+
+        [HttpPut]
+        [Route("organization-units/{id}")]
+        public virtual async Task UpdateOrganizationUnitsAsync(Guid id, IdentityUserOrganizationUnitUpdateDto input)
+        {
+            await UserAppService.UpdateOrganizationUnitsAsync(id, input);
+        }
+    }
+}
diff --git a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.HttpApi/LINGYUN/Abp/Identity/OrganizationUnitController.cs b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.HttpApi/LINGYUN/Abp/Identity/OrganizationUnitController.cs
index 0a106b8e7..5ebc3f1b7 100644
--- a/aspnet-core/modules/identity/LINGYUN.Abp.Identity.HttpApi/LINGYUN/Abp/Identity/OrganizationUnitController.cs
+++ b/aspnet-core/modules/identity/LINGYUN.Abp.Identity.HttpApi/LINGYUN/Abp/Identity/OrganizationUnitController.cs
@@ -1,6 +1,5 @@
 using Microsoft.AspNetCore.Mvc;
 using System;
-using System.ComponentModel.DataAnnotations;
 using System.Threading.Tasks;
 using Volo.Abp;
 using Volo.Abp.Application.Dtos;
@@ -23,20 +22,6 @@ namespace LINGYUN.Abp.Identity
             OrganizationUnitAppService = organizationUnitAppService;
         }
 
-        [HttpPost]
-        [Route("management-roles")]
-        public virtual async Task AddRoleAsync(OrganizationUnitDtoAddOrRemoveRoleDto input)
-        {
-            await OrganizationUnitAppService.AddRoleAsync(input);
-        }
-
-        [HttpPost]
-        [Route("management-users")]
-        public virtual async Task AddUserAsync(OrganizationUnitDtoAddOrRemoveUserDto input)
-        {
-            await OrganizationUnitAppService.AddUserAsync(input);
-        }
-
         [HttpPost]
         public virtual async Task<OrganizationUnitDto> CreateAsync(OrganizationUnitCreateDto input)
         {
@@ -112,20 +97,6 @@ namespace LINGYUN.Abp.Identity
             await OrganizationUnitAppService.MoveAsync(id, input);
         }
 
-        [HttpDelete]
-        [Route("management-roles")]
-        public virtual async Task RemoveRoleAsync(OrganizationUnitDtoAddOrRemoveRoleDto input)
-        {
-            await OrganizationUnitAppService.RemoveRoleAsync(input);
-        }
-
-        [HttpDelete]
-        [Route("management-users")]
-        public virtual async Task RemoveUserAsync(OrganizationUnitDtoAddOrRemoveUserDto input)
-        {
-            await OrganizationUnitAppService.RemoveUserAsync(input);
-        }
-
         [HttpPut]
         [Route("{id}")]
         public virtual async Task<OrganizationUnitDto> UpdateAsync(Guid id, OrganizationUnitUpdateDto input)
diff --git a/aspnet-core/services/admin/LINGYUN.BackendAdminApp.Host/BackendAdminHostModule.cs b/aspnet-core/services/admin/LINGYUN.BackendAdminApp.Host/BackendAdminHostModule.cs
index fbccd7cc5..dcb6e577c 100644
--- a/aspnet-core/services/admin/LINGYUN.BackendAdminApp.Host/BackendAdminHostModule.cs
+++ b/aspnet-core/services/admin/LINGYUN.BackendAdminApp.Host/BackendAdminHostModule.cs
@@ -77,7 +77,7 @@ namespace LINGYUN.BackendAdmin
         typeof(AbpTenantManagementApplicationModule),
         typeof(AbpTenantManagementHttpApiModule),
         typeof(AbpEntityFrameworkCoreMySQLModule),
-        typeof(AbpIdentityEntityFrameworkCoreModule),
+        typeof(LINGYUN.Abp.Identity.EntityFrameworkCore.AbpIdentityEntityFrameworkCoreModule),
         typeof(AbpIdentityServerEntityFrameworkCoreModule),
         typeof(AbpTenantManagementEntityFrameworkCoreModule),
         typeof(AbpSettingManagementEntityFrameworkCoreModule),
diff --git a/aspnet-core/services/admin/LINGYUN.BackendAdminApp.Host/LINGYUN.BackendAdminApp.Host.csproj b/aspnet-core/services/admin/LINGYUN.BackendAdminApp.Host/LINGYUN.BackendAdminApp.Host.csproj
index cc8830e45..b68c8b473 100644
--- a/aspnet-core/services/admin/LINGYUN.BackendAdminApp.Host/LINGYUN.BackendAdminApp.Host.csproj
+++ b/aspnet-core/services/admin/LINGYUN.BackendAdminApp.Host/LINGYUN.BackendAdminApp.Host.csproj
@@ -64,6 +64,7 @@
     <ProjectReference Include="..\..\..\modules\common\LINGYUN.Abp.ExceptionHandling.Emailing\LINGYUN.Abp.ExceptionHandling.Emailing.csproj" />
     <ProjectReference Include="..\..\..\modules\file-management\LINGYUN.Abp.FileManagement.Application.Contracts\LINGYUN.Abp.FileManagement.Application.Contracts.csproj" />
     <ProjectReference Include="..\..\..\modules\identity\LINGYUN.Abp.Identity.Application\LINGYUN.Abp.Identity.Application.csproj" />
+    <ProjectReference Include="..\..\..\modules\identity\LINGYUN.Abp.Identity.EntityFrameworkCore\LINGYUN.Abp.Identity.EntityFrameworkCore.csproj" />
     <ProjectReference Include="..\..\..\modules\identity\LINGYUN.Abp.Identity.HttpApi\LINGYUN.Abp.Identity.HttpApi.csproj" />
     <ProjectReference Include="..\..\..\modules\common\LINGYUN.Abp.Location.Tencent\LINGYUN.Abp.Location.Tencent.csproj" />
     <ProjectReference Include="..\..\..\modules\message\LINGYUN.Abp.MessageService.Application.Contracts\LINGYUN.Abp.MessageService.Application.Contracts.csproj" />
diff --git a/vueJs/src/api/organizationunit.ts b/vueJs/src/api/organizationunit.ts
index 231af13ac..b48a0adb7 100644
--- a/vueJs/src/api/organizationunit.ts
+++ b/vueJs/src/api/organizationunit.ts
@@ -24,7 +24,7 @@ export default class OrganizationUnitService {
    */
   public static getRootOrganizationUnits() {
     const _url = '/api/identity/organization-units/root-node'
-    return ApiService.Get<PagedResultDto<OrganizationUnit>>(_url, serviceUrl)
+    return ApiService.Get<ListResultDto<OrganizationUnit>>(_url, serviceUrl)
   }
 
   /**
diff --git a/vueJs/src/api/roles.ts b/vueJs/src/api/roles.ts
index cc2334a31..6b6468910 100644
--- a/vueJs/src/api/roles.ts
+++ b/vueJs/src/api/roles.ts
@@ -1,5 +1,6 @@
 import { pagerFormat } from '@/utils/index'
 import ApiService from './serviceBase'
+import { OrganizationUnit } from './organizationunit'
 import { ListResultDto, PagedAndSortedResultRequestDto, PagedResultDto } from './types'
 
 const IdentityServiceUrl = process.env.VUE_APP_BASE_API
@@ -25,6 +26,16 @@ export default class RoleService {
     return ApiService.Get<RoleDto>(_url, IdentityServiceUrl)
   }
 
+  public static getRoleOrganizationUnits(roleId: string) {
+    const _url = '/api/identity/roles/organization-units/' + roleId
+    return ApiService.Get<ListResultDto<OrganizationUnit>>(_url, IdentityServiceUrl);
+  }
+
+  public static changeRoleOrganizationUnits(roleId: string, payload: ChangeRoleOrganizationUnitDto) {
+    const _url = '/api/identity/roles/organization-units/' + roleId
+    return ApiService.Put<void>(_url, payload, IdentityServiceUrl);
+  }
+
   public static createRole(input: CreateRoleDto) {
     return ApiService.Post<RoleDto>('/api/identity/roles', input, IdentityServiceUrl)
   }
@@ -75,3 +86,7 @@ export class UpdateRoleDto extends RoleBaseDto {
     this.isPublic = true
   }
 }
+
+export class ChangeRoleOrganizationUnitDto {
+  organizationUnitIds = new Array<string>()
+}
diff --git a/vueJs/src/api/users.ts b/vueJs/src/api/users.ts
index a9470ef63..f3466b8a6 100644
--- a/vueJs/src/api/users.ts
+++ b/vueJs/src/api/users.ts
@@ -1,7 +1,9 @@
 import qs from 'querystring'
 import { pagerFormat } from '@/utils/index'
 import { PagedAndSortedResultRequestDto, FullAuditedEntityDto, PagedResultDto } from '@/api/types'
+import { OrganizationUnit } from './organizationunit'
 import ApiService from './serviceBase'
+import { ListResultDto } from './types'
 
 const IdentityServiceUrl = process.env.VUE_APP_BASE_API
 const IdentityServerUrl = process.env.VUE_APP_BASE_IDENTITY_SERVER
@@ -58,6 +60,16 @@ export default class UserApiService {
     return ApiService.Get<UserRoleDto>(_url, IdentityServiceUrl)
   }
 
+  public static getUserOrganizationUnits(userId: string) {
+    const _url = '/api/identity/users/organization-units/' + userId
+    return ApiService.Get<ListResultDto<OrganizationUnit>>(_url, IdentityServiceUrl);
+  }
+
+  public static changeUserOrganizationUnits(roleId: string, payload: ChangeUserOrganizationUnitDto) {
+    const _url = '/api/identity/users/organization-units/' + roleId
+    return ApiService.Put<void>(_url, payload, IdentityServiceUrl);
+  }
+
   public static setUserRoles(userId: string, roles: string[]) {
     let _url = '/api/identity/users'
     _url += '/' + userId
@@ -440,3 +452,7 @@ export interface IUserRole {
   /** 并发令牌 */
   concurrencyStamp: string | undefined
 }
+
+export class ChangeUserOrganizationUnitDto {
+  organizationUnitIds = new Array<string>()
+}
diff --git a/vueJs/src/components/OrganizationUnitTree/index.vue b/vueJs/src/components/OrganizationUnitTree/index.vue
new file mode 100644
index 000000000..e835f9739
--- /dev/null
+++ b/vueJs/src/components/OrganizationUnitTree/index.vue
@@ -0,0 +1,108 @@
+<template>
+  <el-tree
+    ref="organizationUnitTree"
+    show-checkbox
+    node-key="id"
+    :props="organizationUnitProps"
+    :load="loadOrganizationUnit"
+    lazy
+    draggable
+    highlight-current
+    :default-checked-keys="checkedOrganizationUnits"
+    @check="onOrganizationUnitsChecked"
+  />
+</template>
+
+<script lang="ts">
+import { Component, Prop, Watch, Vue } from 'vue-property-decorator'
+import { ListResultDto } from '@/api/types'
+import OrganizationUnitService, { OrganizationUnit } from '@/api/organizationunit'
+
+class OrganizationUnitTree {
+  id?: string
+  parentId?: string
+  code!: string
+  displayName!: string
+  isLeaf!: boolean
+  children?: OrganizationUnitTree[]
+
+  constructor() {
+    this.isLeaf = false
+    this.children = new Array<OrganizationUnitTree>()
+  }
+}
+
+@Component({
+  name: 'OrganizationUnitTree',
+  data() {
+    return {
+      organizationUnitProps: {
+        label: 'displayName',
+        isLeaf: 'isLeaf',
+        children: 'children'
+      }
+    }
+  }
+})
+export default class extends Vue {
+  @Prop({ default: () => { return new Array<string>() } })
+  private checkedOrganizationUnits!: string[]
+
+  private selectionOrganizationUnits = new Array<string>()
+
+  @Watch('checkedOrganizationUnits')
+  private onOrganizationUnitsChanged() {
+    const elTree = this.$refs.organizationUnitTree as any
+    elTree.setCheckedKeys(this.checkedOrganizationUnits)
+  }
+
+  private onOrganizationUnitsChecked(data: any, treeCheckData: any) {
+    const checkKeys = treeCheckData.checkedKeys
+    const valiadOuId = checkKeys.findIndex((key: string) => key === undefined)
+    if (valiadOuId !== -1) {
+      checkKeys.splice(valiadOuId, 1)
+    }
+    this.$emit('onOrganizationUnitsChanged', checkKeys)
+  }
+
+  private async loadOrganizationUnit(node: any, resolve: any) {
+    if (node.level === 0) {
+      const rootOrganizationUnit = new OrganizationUnitTree()
+      rootOrganizationUnit.id = undefined
+      rootOrganizationUnit.parentId = undefined
+      rootOrganizationUnit.code = 'root'
+      rootOrganizationUnit.displayName = '组织机构'
+      return resolve([rootOrganizationUnit])
+    }
+    let organizationUnitItems = new ListResultDto<OrganizationUnit>()
+    if (node.data.id === undefined) {
+      // 根节点
+      organizationUnitItems = await OrganizationUnitService.getRootOrganizationUnits()
+    } else {
+      // 子节点
+      organizationUnitItems = await OrganizationUnitService.findOrganizationUnitChildren(node.data.id, undefined)
+    }
+    if (organizationUnitItems.items.length !== 0) {
+      const organizationUnits = new Array<OrganizationUnitTree>()
+      organizationUnitItems.items.map((item) => {
+        const organizationUnit = new OrganizationUnitTree()
+        organizationUnit.id = item.id
+        organizationUnit.parentId = item.parentId
+        organizationUnit.code = item.code
+        organizationUnit.displayName = item.displayName
+        organizationUnits.push(organizationUnit)
+        const children = node.data.children as OrganizationUnitTree[]
+        if (!children.every(x => x.id === item.id)) {
+          children.push(organizationUnit)
+        }
+      })
+      return resolve(organizationUnits)
+    }
+    return resolve([])
+  }
+}
+</script>
+
+<style lang="scss" scoped>
+
+</style>
diff --git a/vueJs/src/lang/zh.ts b/vueJs/src/lang/zh.ts
index 2c5e712fb..ae59d3473 100644
--- a/vueJs/src/lang/zh.ts
+++ b/vueJs/src/lang/zh.ts
@@ -250,6 +250,7 @@ export default {
     roleList: '角色列表',
     hasRoles: '已有角色',
     permission: '分配权限',
+    organizationUnits: '组织机构',
     password: '用户密码',
     confirmPassword: '确认用户密码',
     pleaseInputName: '请输入用户名称',
@@ -261,6 +262,7 @@ export default {
     pleaseConfirmPassword: '请再次输入用户密码'
   },
   roles: {
+    basic: '基本信息',
     refreshList: '刷新列表',
     id: '角色标识',
     name: '角色名称',
@@ -284,7 +286,9 @@ export default {
     roleHasBeenSetDefault: '{name} 已设置为默认角色!',
     createRoleSuccess: '角色 {name} 添加成功!',
     pleaseInputRoleName: '请输入角色名称',
-    roleNameIsRequired: '角色名称不能为空!'
+    roleNameIsRequired: '角色名称不能为空!',
+    organizationUnits: '组织机构',
+    updateRoleSuccess: '角色 {name} 修改成功!'
   },
   operaActions: '操作方法',
   queryFilter: '查询过滤',
diff --git a/vueJs/src/views/admin/apigateway/global.vue b/vueJs/src/views/admin/apigateway/global.vue
index 981449eff..d863c9860 100644
--- a/vueJs/src/views/admin/apigateway/global.vue
+++ b/vueJs/src/views/admin/apigateway/global.vue
@@ -115,7 +115,6 @@
         :label="$t('operaActions')"
         align="center"
         width="250px"
-        fixed="right"
       >
         <template slot-scope="{row}">
           <el-button
diff --git a/vueJs/src/views/admin/apigateway/group.vue b/vueJs/src/views/admin/apigateway/group.vue
index a299faf77..ea491e7f1 100644
--- a/vueJs/src/views/admin/apigateway/group.vue
+++ b/vueJs/src/views/admin/apigateway/group.vue
@@ -132,7 +132,6 @@
         :label="$t('operaActions')"
         align="center"
         width="250px"
-        fixed="right"
       >
         <template slot-scope="{row}">
           <el-button
diff --git a/vueJs/src/views/admin/identityServer/api-resources/index.vue b/vueJs/src/views/admin/identityServer/api-resources/index.vue
index 3291adfa0..10ea16fa8 100644
--- a/vueJs/src/views/admin/identityServer/api-resources/index.vue
+++ b/vueJs/src/views/admin/identityServer/api-resources/index.vue
@@ -117,7 +117,6 @@
         :label="$t('global.operaActions')"
         align="center"
         width="250px"
-        fixed="right"
       >
         <template slot-scope="{row}">
           <el-button
diff --git a/vueJs/src/views/admin/identityServer/identity-resources/index.vue b/vueJs/src/views/admin/identityServer/identity-resources/index.vue
index 3a8c6f4d6..c16240ed5 100644
--- a/vueJs/src/views/admin/identityServer/identity-resources/index.vue
+++ b/vueJs/src/views/admin/identityServer/identity-resources/index.vue
@@ -117,7 +117,6 @@
         :label="$t('global.operaActions')"
         align="center"
         width="250px"
-        fixed="right"
       >
         <template slot-scope="{row}">
           <el-button
diff --git a/vueJs/src/views/admin/organization-unit/components/EditOrganizationUint.vue b/vueJs/src/views/admin/organization-unit/components/EditOrganizationUint.vue
index a82a524d3..31568c99c 100644
--- a/vueJs/src/views/admin/organization-unit/components/EditOrganizationUint.vue
+++ b/vueJs/src/views/admin/organization-unit/components/EditOrganizationUint.vue
@@ -34,33 +34,18 @@
               <el-dropdown-menu slot="dropdown">
                 <el-dropdown-item :command="{key: 'append', node: node, data: data}">新增机构</el-dropdown-item>
                 <el-dropdown-item :command="{key: 'remove', node: node, data: data}">删除机构</el-dropdown-item>
-
-                <el-dropdown-item :command="{key: 'add-user', node: node, data: data}">添加用户</el-dropdown-item>
-                <el-dropdown-item :command="{key: 'add-role', node: node, data: data}">添加角色</el-dropdown-item>
               </el-dropdown-menu>
             </el-dropdown>
           </span>
         </el-tree>
       </div>
     </el-card>
-
-    <el-dialog
-      :visible.sync="showUserReferenceDialog"
-      title="用户列表"
-      :show-close="false"
-      @closed="onUserReferenceDialogClosed"
-    >
-      <user-reference
-        ref="userReference"
-      />
-    </el-dialog>
   </div>
 </template>
 
 <script lang="ts">
 import { Component, Vue } from 'vue-property-decorator'
 import { ListResultDto } from '@/api/types'
-import UserReference from '../../components/UserReference.vue'
 import OrganizationUnitService, { OrganizationUnitCreate, OrganizationUnit } from '@/api/organizationunit'
 
 class OrganizationUnitTree {
@@ -79,9 +64,6 @@ class OrganizationUnitTree {
 
 @Component({
   name: 'EditOrganizationUint',
-  components: {
-    UserReference
-  },
   data() {
     return {
       organizationProps: {
@@ -138,12 +120,6 @@ export default class extends Vue {
       case 'remove' :
         this.handleRemoveOrganizationUnit(command.node, command.data)
         break
-      case 'add-user' :
-        this.handleOrganizationUnitUserAdd(command.data)
-        break
-      case 'add-role' :
-        this.handleOrganizationUnitRoleAdd(command.data)
-        break
       default: break
     }
   }
@@ -190,19 +166,6 @@ export default class extends Vue {
       })
   }
 
-  private handleOrganizationUnitUserAdd(data: any) {
-    console.log(data)
-    this.showUserReferenceDialog = true
-  }
-
-  private onUserReferenceDialogClosed() {
-    this.showUserReferenceDialog = false
-  }
-
-  private handleOrganizationUnitRoleAdd(data: any) {
-    console.log(data)
-  }
-
   private handleAllowDrag(draggingNode: any) {
     return draggingNode.data.parentId !== undefined && draggingNode.data.parentId !== null
   }
diff --git a/vueJs/src/views/admin/organization-unit/components/UserOrganizationUint.vue b/vueJs/src/views/admin/organization-unit/components/UserOrganizationUint.vue
index ca6893072..1453d9a46 100644
--- a/vueJs/src/views/admin/organization-unit/components/UserOrganizationUint.vue
+++ b/vueJs/src/views/admin/organization-unit/components/UserOrganizationUint.vue
@@ -71,34 +71,23 @@
         <span>{{ row.creationTime | dateTimeFilter }}</span>
       </template>
     </el-table-column>
-    <el-table-column
-      :label="$t('global.operaActions')"
-      align="center"
-      width="200px"
-      min-width="200px"
-      fixed="right"
-    >
-      <template slot-scope="{row}">
-        <el-button
-          :disabled="!checkPermission(['AbpIdentity.OrganizationUnits.ManageUsers'])"
-          size="mini"
-          type="primary"
-          @click="handleRemoveUser(row)"
-        >
-          {{ $t('users.deleteUser') }}
-        </el-button>
-      </template>
-    </el-table-column>
   </el-table>
 </template>
 
 <script lang="ts">
 import { Component, Prop, Watch, Vue } from 'vue-property-decorator'
 import { UserDataDto } from '@/api/users'
+import { dateFormat } from '@/utils'
 import OrganizationUnitService from '@/api/organizationunit'
 
 @Component({
-  name: 'UserOrganizationUint'
+  name: 'UserOrganizationUint',
+  filters: {
+    dateTimeFilter(datetime: string) {
+      const date = new Date(datetime)
+      return dateFormat(date, 'YYYY-mm-dd HH:MM')
+    }
+  }
 })
 export default class extends Vue {
   @Prop({ default: '' })
@@ -120,14 +109,6 @@ export default class extends Vue {
       })
     }
   }
-
-  private handleRemoveUser(row: any) {
-    if (this.organizationUnitId) {
-      OrganizationUnitService.organizationUnitRemoveUser(this.organizationUnitId, row.id).then(() => {
-        this.$message.success('用户 ' + row.name + ' 已从机构移除!')
-      })
-    }
-  }
 }
 </script>
 
diff --git a/vueJs/src/views/admin/roles/components/RoleEditForm.vue b/vueJs/src/views/admin/roles/components/RoleEditForm.vue
new file mode 100644
index 000000000..e6cac092d
--- /dev/null
+++ b/vueJs/src/views/admin/roles/components/RoleEditForm.vue
@@ -0,0 +1,196 @@
+<template>
+  <el-form
+    ref="formEditRole"
+    label-width="110px"
+    :model="role"
+    :rules="roleRules"
+  >
+    <el-tabs v-model="roleTabItem">
+      <el-tab-pane
+        :label="$t('roles.basic')"
+        name="basic"
+      >
+        <el-form-item
+          prop="name"
+          :label="$t('roles.name')"
+        >
+          <el-input
+            v-model="role.name"
+            :disabled="role.isStatic"
+            :placeholder="$t('global.pleaseInputBy', {key: $t('roles.name')})"
+          />
+        </el-form-item>
+      </el-tab-pane>
+      <el-tab-pane
+        :label="$t('roles.organizationUnits')"
+        name="organizationUnits"
+      >
+        <organization-unit-tree
+          :checked-organization-units="roleOrganizationUnits"
+          @onOrganizationUnitsChanged="onOrganizationUnitsChanged"
+        />
+      </el-tab-pane>
+      <el-tab-pane
+        v-if="rolePermissionLoaded"
+        :label="$t('roles.permission')"
+        name="permissions"
+      >
+        <permission-tree
+          ref="permissionTree"
+          :expanded="false"
+          :readonly="!checkPermission(['AbpIdentity.Roles.ManagePermissions'])"
+          :permission="rolePermission"
+          @onPermissionChanged="onPermissionChanged"
+        />
+      </el-tab-pane>
+    </el-tabs>
+    <el-form-item>
+      <el-button
+        class="cancel"
+        style="width:100px"
+        @click="onCancel"
+      >
+        {{ $t('global.cancel') }}
+      </el-button>
+      <el-button
+        class="confirm"
+        type="primary"
+        style="width:100px"
+        @click="onConfirm"
+      >
+        {{ $t('global.confirm') }}
+      </el-button>
+    </el-form-item>
+  </el-form>
+</template>
+
+<script lang="ts">
+import { IPermission } from '@/api/types'
+import { checkPermission } from '@/utils/permission'
+import { Component, Prop, Watch, Vue } from 'vue-property-decorator'
+import RoleService, { RoleDto, UpdateRoleDto } from '@/api/roles'
+import PermissionTree from '@/components/PermissionTree/index.vue'
+import OrganizationUnitTree from '@/components/OrganizationUnitTree/index.vue'
+import PermissionService, { PermissionDto, UpdatePermissionsDto } from '@/api/permission'
+import { ChangeUserOrganizationUnitDto } from '@/api/users'
+
+@Component({
+  name: 'RoleEditForm',
+  components: {
+    PermissionTree,
+    OrganizationUnitTree
+  },
+  methods: {
+    checkPermission
+  }
+})
+export default class extends Vue {
+  @Prop({ default: '' })
+  private roleId!: string
+
+  private roleTabItem = 'basic'
+  private role = new RoleDto()
+  /** 是否加载用户权限 */
+  private rolePermissionLoaded = false
+  private roleOrganizationUnitChanged = false
+  private roleOrganizationUnits = new Array<string>()
+
+  /** 角色权限数据 */
+  private rolePermission = new PermissionDto()
+  /** 角色权限已变更 */
+  private rolePermissionChanged = false
+  /** 变更角色权限数据 */
+  private editRolePermissions = new Array<IPermission>()
+
+  private roleRules = {
+    name: [
+      { required: true, message: this.l('global.pleaseInputBy', { key: this.l('roles.name') }), trigger: 'blur' },
+      { min: 3, max: 20, message: this.l('global.charLengthRange', { min: 3, max: 20 }), trigger: 'blur' }
+    ]
+  }
+
+  @Watch('roleId', { immediate: true })
+  private onRoleIdChanged() {
+    if (this.roleId) {
+      RoleService.getRoleById(this.roleId).then(role => {
+        this.role = role
+        this.handledGetRoleOrganizationUnits(role.id)
+        this.handleGetRolePermissions(role.name)
+      })
+    }
+    this.roleOrganizationUnitChanged = false
+    this.roleOrganizationUnits = new Array<string>()
+  }
+
+  private handledGetRoleOrganizationUnits(roleId: string) {
+    RoleService.getRoleOrganizationUnits(roleId).then(res => {
+      this.roleOrganizationUnits = res.items.map(ou => ou.id)
+    })
+  }
+
+  private handleGetRolePermissions(roleName: string) {
+    PermissionService.getPermissionsByKey('R', roleName).then(permission => {
+      this.rolePermission = permission
+      this.rolePermissionLoaded = true
+    })
+  }
+
+  private onOrganizationUnitsChanged(checkedKeys: string[]) {
+    this.roleOrganizationUnitChanged = true
+    this.roleOrganizationUnits = checkedKeys
+  }
+
+  private onPermissionChanged(permissions: IPermission[]) {
+    this.rolePermissionChanged = true
+    this.editRolePermissions = permissions
+  }
+
+  private onConfirm() {
+    const frmRole = this.$refs.formEditRole as any
+    frmRole.validate(async(valid: boolean) => {
+      if (valid) {
+        const roleUpdateDto = new UpdateRoleDto()
+        roleUpdateDto.name = this.role.name
+        roleUpdateDto.isPublic = this.role.isPublic
+        roleUpdateDto.isDefault = this.role.isDefault
+        roleUpdateDto.concurrencyStamp = this.role.concurrencyStamp
+        if (this.rolePermissionChanged) {
+          const setRolePermissions = new UpdatePermissionsDto()
+          setRolePermissions.permissions = this.editRolePermissions
+          await PermissionService.setPermissionsByKey('R', this.rolePermission.entityDisplayName, setRolePermissions)
+        }
+        if (this.roleOrganizationUnitChanged) {
+          const roleOrganizationUnitDto = new ChangeUserOrganizationUnitDto()
+          roleOrganizationUnitDto.organizationUnitIds = this.roleOrganizationUnits
+          await RoleService.changeRoleOrganizationUnits(this.roleId, roleOrganizationUnitDto)
+        }
+        RoleService.updateRole(this.roleId, roleUpdateDto).then(role => {
+          this.$message.success(this.l('roles.updateRoleSuccess', { name: role.name }))
+          this.onCancel()
+        })
+      }
+    })
+  }
+
+  private onCancel() {
+    this.rolePermissionLoaded = false
+    this.roleTabItem = 'basic'
+    this.$emit('onClosed')
+  }
+
+  private l(name: string, values?: any[] | { [key: string]: any }) {
+    return this.$t(name, values).toString()
+  }
+}
+</script>
+
+<style lang="scss" scoped>
+.confirm {
+  position: absolute;
+  right: 10px;
+}
+.cancel {
+  position: absolute;
+  right: 120px;
+}
+</style>
diff --git a/vueJs/src/views/admin/roles/index.vue b/vueJs/src/views/admin/roles/index.vue
index 0c5dec153..7e7dbe835 100644
--- a/vueJs/src/views/admin/roles/index.vue
+++ b/vueJs/src/views/admin/roles/index.vue
@@ -91,17 +91,16 @@
         :label="$t('roles.operaActions')"
         align="center"
         width="250px"
-        max-width="250px"
-        fixed="right"
+        min-width="250px"
       >
         <template slot-scope="{row}">
           <el-button
-            :disabled="!checkPermission(['AbpIdentity.Roles.ManagePermissions'])"
+            :disabled="!checkPermission(['AbpIdentity.Roles.Update'])"
             size="mini"
             type="primary"
-            @click="handleGetRolePermissions(row)"
+            @click="handleEditRole(row)"
           >
-            {{ $t('roles.permission') }}
+            {{ $t('roles.updateRole') }}
           </el-button>
           <el-dropdown
             class="options"
@@ -143,28 +142,15 @@
     />
 
     <el-dialog
-      :visible="hasLoadPermission"
+      :visible="showEditDialog"
       custom-class="profile"
-      :title="$t('roles.permission')"
+      title="编辑角色"
       :show-close="false"
     >
-      <PermissionTree
-        v-if="hasLoadPermission"
-        :expanded="false"
-        :readonly="!checkPermission(['AbpIdentity.Roles.ManagePermissions'])"
-        :permission="rolePermission"
-        @onPermissionChanged="onPermissionChanged"
+      <role-edit-form
+        :role-id="editRoleId"
+        @onClosed="onEditRoleFormClosed"
       />
-      <span
-        slot="footer"
-        class="dialog-footer"
-      >
-        <el-button @click="handleRolePermissionClosed">{{ $t('table.cancel') }}</el-button>
-        <el-button
-          type="primary"
-          @click="handleRoleAuthPermission"
-        >{{ $t('table.confirm') }}</el-button>
-      </span>
     </el-dialog>
   </div>
 </template>
@@ -173,46 +159,29 @@
 import { Component, Vue } from 'vue-property-decorator'
 import RoleService, { CreateRoleDto, RoleDto, UpdateRoleDto, RoleGetPagedDto } from '@/api/roles'
 import { checkPermission } from '@/utils/permission'
-import { IPermission } from '@/api/types'
 import Pagination from '@/components/Pagination/index.vue'
-import PermissionService, { PermissionDto, UpdatePermissionsDto } from '@/api/permission'
 import PermissionTree from '@/components/PermissionTree/index.vue'
+import RoleEditForm from './components/RoleEditForm.vue'
 
 @Component({
   name: 'RoleList',
   components: {
     PermissionTree,
-    Pagination
+    Pagination,
+    RoleEditForm
   },
   methods: {
     checkPermission
   }
 })
 export default class extends Vue {
-  private roleCount: number
-  private roleQueryFilter: RoleGetPagedDto
-  private roleList: RoleDto[]
-  private roleListLoading: boolean
-  /** 是否加载角色权限 */
-  private hasLoadPermission: boolean
-  /** 角色权限数据 */
-  private rolePermission: PermissionDto
-  /** 角色权限已变更 */
-  private rolePermissionChanged: boolean
-  /** 变更角色权限数据 */
-  private editRolePermissions: IPermission[]
+  private roleCount = 0
+  private roleQueryFilter = new RoleGetPagedDto()
+  private roleList = new Array<RoleDto>()
+  private roleListLoading = false
 
-  constructor() {
-    super()
-    this.roleCount = 0
-    this.roleListLoading = false
-    this.hasLoadPermission = false
-    this.rolePermissionChanged = false
-    this.rolePermission = new PermissionDto()
-    this.roleQueryFilter = new RoleGetPagedDto()
-    this.roleList = new Array<RoleDto>()
-    this.editRolePermissions = new Array<IPermission>()
-  }
+  private showEditDialog = false
+  private editRoleId = ''
 
   mounted() {
     this.handleGetRoles()
@@ -268,23 +237,9 @@ export default class extends Vue {
     })
   }
 
-  /** 获取角色权限列表 */
-  private handleGetRolePermissions(role: RoleDto) {
-    PermissionService.getPermissionsByKey('R', role.name).then(permission => {
-      this.rolePermission = permission
-      this.hasLoadPermission = true
-    })
-  }
-
-  /** 角色授权 */
-  private async handleRoleAuthPermission() {
-    if (this.rolePermissionChanged) {
-      const setRolePermissions = new UpdatePermissionsDto()
-      setRolePermissions.permissions = this.editRolePermissions
-      await PermissionService.setPermissionsByKey('R', this.rolePermission.entityDisplayName, setRolePermissions)
-    }
-    this.rolePermission = new PermissionDto()
-    this.hasLoadPermission = false
+  private handleEditRole(role: RoleDto) {
+    this.editRoleId = role.id
+    this.showEditDialog = true
   }
 
   /** 设置默认角色 */
@@ -315,14 +270,9 @@ export default class extends Vue {
       })
   }
 
-  /** 角色权限树变更事件 */
-  private onPermissionChanged(permissions: IPermission[]) {
-    this.rolePermissionChanged = true
-    this.editRolePermissions = permissions
-  }
-
-  private handleRolePermissionClosed() {
-    this.hasLoadPermission = false
+  private onEditRoleFormClosed() {
+    this.editRoleId = ''
+    this.showEditDialog = false
   }
 }
 </script>
diff --git a/vueJs/src/views/admin/tenants/index.vue b/vueJs/src/views/admin/tenants/index.vue
index 5a331563a..3faf6af09 100644
--- a/vueJs/src/views/admin/tenants/index.vue
+++ b/vueJs/src/views/admin/tenants/index.vue
@@ -94,7 +94,6 @@
         align="center"
         width="250px"
         min-width="250px"
-        fixed="right"
       >
         <template slot-scope="{row}">
           <el-button
diff --git a/vueJs/src/views/admin/users/components/UserEditForm.vue b/vueJs/src/views/admin/users/components/UserEditForm.vue
index 2ee0e1206..270051932 100644
--- a/vueJs/src/views/admin/users/components/UserEditForm.vue
+++ b/vueJs/src/views/admin/users/components/UserEditForm.vue
@@ -85,6 +85,14 @@
           :data="roleList"
         />
       </el-tab-pane>
+      <el-tab-pane
+        :label="$t('userProfile.organizationUnits')"
+      >
+        <organization-unit-tree
+          :checked-organization-units="userOrganizationUnits"
+          @onOrganizationUnitsChanged="onOrganizationUnitsChanged"
+        />
+      </el-tab-pane>
       <el-tab-pane
         v-if="allowedChangePermissions() && hasLoadPermission"
         :label="$t('userProfile.permission')"
@@ -122,55 +130,49 @@
 import { Component, Vue, Prop, Watch } from 'vue-property-decorator'
 import UserApiService, {
   UserDataDto,
-  UserUpdateDto
+  UserUpdateDto,
+  ChangeUserOrganizationUnitDto
 } from '@/api/users'
 import RoleService from '@/api/roles'
 import PermissionService, { PermissionDto, UpdatePermissionsDto } from '@/api/permission'
 import PermissionTree from '@/components/PermissionTree/index.vue'
+import OrganizationUnitTree from '@/components/OrganizationUnitTree/index.vue'
 import { IRoleData, IPermission } from '@/api/types'
 import { checkPermission } from '@/utils/permission'
 
 @Component({
   name: 'UserProfile',
   components: {
-    PermissionTree
+    PermissionTree,
+    OrganizationUnitTree
   },
   methods: {
     checkPermission
   }
 })
 export default class extends Vue {
-  @Prop({ default: '' }) private userId!: string
-  private roleList: {key: string, label: string, disabled: boolean}[]
+  @Prop({ default: '' })
+  private userId!: string
+
+  private roleList = new Array<{key: string, label: string, disabled: boolean}>()
   /** 用户组 */
-  private userRoles: string[]
-  private hasEditUser: boolean
-  private userRolesChanged: boolean
-  private userProfile: any
+  private userRoles = new Array<string>()
+  private hasEditUser = false
+  private userRolesChanged = false
+  private userProfile = new UserDataDto()
   /** 是否加载用户权限 */
-  private hasLoadPermission: boolean
+  private hasLoadPermission = false
   /** 用户权限数据 */
-  private userPermission: PermissionDto
+  private userPermission = new PermissionDto()
   /** 用户权限已变更 */
-  private userPermissionChanged: boolean
+  private userPermissionChanged = false
   /** 变更用户权限数据 */
-  private editUserPermissions: IPermission[]
+  private editUserPermissions = new Array<IPermission>()
+  /** 用户组织机构 */
+  private userOrganizationUnits = new Array<string>()
+  private userOrganizationUnitsChanged = false
 
-  private activedTabPane: string
-
-  constructor() {
-    super()
-    this.activedTabPane = 'basic'
-    this.hasEditUser = false
-    this.userRolesChanged = false
-    this.hasLoadPermission = false
-    this.userPermissionChanged = false
-    this.userRoles = new Array<string>()
-    this.userProfile = new UserDataDto()
-    this.userPermission = new PermissionDto()
-    this.editUserPermissions = new Array<IPermission>()
-    this.roleList = new Array<{key: string, label: string, disabled: boolean}>()
-  }
+  private activedTabPane = 'basic'
 
   @Watch('userId', { immediate: true })
   onUserIdChanged(userId: string) {
@@ -185,6 +187,17 @@ export default class extends Vue {
     }
   }
 
+  onUserOrganizationUnitsChanged(val: string[], oldVal: string[]) {
+    if (val.length !== oldVal.length) {
+      this.userRolesChanged = true
+    }
+  }
+
+  onOrganizationUnitsChanged(checkedKeys: string[]) {
+    this.userOrganizationUnitsChanged = true
+    this.userOrganizationUnits = checkedKeys
+  }
+
   private validatePhoneNumberValue = (rule: any, value: string, callback: any) => {
     const phoneReg = /^1[34578]\d{9}$/
     if (!value || !phoneReg.test(value)) {
@@ -234,6 +247,7 @@ export default class extends Vue {
     UserApiService.getUserById(this.userId).then(user => {
       this.userProfile = user
       this.handleGetUserRoles(this.userId)
+      this.handleGetUserOrganizationUnits(this.userId)
       if (this.allowedChangePermissions()) {
         this.handleGetUserPermissions(this.userId)
       }
@@ -261,6 +275,12 @@ export default class extends Vue {
     this.$watch('userRoles', this.onUserRolesChanged)
   }
 
+  private handleGetUserOrganizationUnits(userId: string) {
+    UserApiService.getUserOrganizationUnits(userId).then(res => {
+      this.userOrganizationUnits = res.items.map(ou => ou.id)
+    })
+  }
+
   private async handleGetUserPermissions(id: string) {
     PermissionService.getPermissionsByKey('U', id).then(permission => {
       this.userPermission = permission
@@ -284,6 +304,11 @@ export default class extends Vue {
         if (this.userRolesChanged) {
           await UserApiService.setUserRoles(this.userProfile.id, this.userRoles)
         }
+        if (this.userOrganizationUnitsChanged) {
+          const changeUserOrganizationUnitDto = new ChangeUserOrganizationUnitDto()
+          changeUserOrganizationUnitDto.organizationUnitIds = this.userOrganizationUnits
+          await UserApiService.changeUserOrganizationUnits(this.userProfile.id, changeUserOrganizationUnitDto)
+        }
         if (this.userPermissionChanged) {
           const setUserPermissions = new UpdatePermissionsDto()
           setUserPermissions.permissions = this.editUserPermissions
@@ -306,6 +331,7 @@ export default class extends Vue {
   private resetForm() {
     this.activedTabPane = 'basic'
     this.userRoles = new Array<string>()
+    this.userOrganizationUnits = new Array<string>()
     const frmEditUser = this.$refs.formEditUser as any
     frmEditUser.resetFields()
     if (this.hasLoadPermission) {
diff --git a/vueJs/src/views/admin/users/index.vue b/vueJs/src/views/admin/users/index.vue
index 694fb9511..9035bad44 100644
--- a/vueJs/src/views/admin/users/index.vue
+++ b/vueJs/src/views/admin/users/index.vue
@@ -108,7 +108,6 @@
         align="center"
         width="250px"
         min-width="250px"
-        fixed="right"
       >
         <template slot-scope="{row}">
           <el-button
diff --git a/vueJs/src/views/file-management/index.vue b/vueJs/src/views/file-management/index.vue
index c6dffe812..ff0c13ab7 100644
--- a/vueJs/src/views/file-management/index.vue
+++ b/vueJs/src/views/file-management/index.vue
@@ -108,7 +108,6 @@
         align="center"
         width="250"
         min-width="250"
-        fixed="right"
       >
         <template slot-scope="{row}">
           <el-button