Merge remote-tracking branch 'origin/feature/REQ-2227' into feature/REQ-2227

# Conflicts:
#	tyr-api/src/main/java/cn/axzo/tyr/client/feign/FeatureResourceApi.java
#	tyr-server/src/main/java/cn/axzo/tyr/server/controller/permission/FeatureResourceController.java

tyr-api/src/main/java/cn/axzo/tyr/client/common/enums/RoleTypeEnum.java

@@ -18,11 +18,12 @@ import java.util.stream.Collectors;
 @AllArgsConstructor
 public enum RoleTypeEnum {
 
-    //角色类型：common 普通角色 super_admin超级管理员(禁止删除) admin子管理员(禁止删除) init初始化内置角色
+    //角色类型：common 普通角色 super_admin超级管理员(禁止删除) admin子管理员(禁止删除) init初始化内置角色 auto_own自定义角色(禁止删除)<承载向用户单独分配的自定义权限>
     COMMON("common", "普通角色",false),
     SUPER_ADMIN("super_admin", "超级管理员",true),
     ADMIN("admin", "子管理员",true),
-    INIT("init", "初始化内置角色",false);
+    INIT("init", "初始化内置角色",false),
+    AUTO_OWN("auto_own", "自定义角色",false);
 
     @EnumValue
     private final String value;

tyr-api/src/main/java/cn/axzo/tyr/client/feign/FeatureResourceApi.java

@@ -2,6 +2,7 @@ package cn.axzo.tyr.client.feign;
 
 import cn.axzo.framework.domain.web.result.ApiResult;
 import cn.axzo.tyr.client.model.req.ResourceSyncReq;
+import cn.axzo.tyr.client.model.req.FeatureResourceTreeSaveReq;
 import cn.axzo.tyr.client.model.res.FeatureResourceTreeNode;
 import org.springframework.cloud.openfeign.FeignClient;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -30,4 +31,7 @@ public interface FeatureResourceApi {
     /** 从基准环境同步接口功能资源 **/
     @PostMapping("/api/featureResource/sync/fromBase")
     ApiResult<Void> syncFromBase(@RequestBody @Valid ResourceSyncReq req);
+
+    @PostMapping("/api/featureResource/saveOrUpdate")
+    ApiResult<Void> saveMenu(@RequestBody FeatureResourceTreeSaveReq req);
 }

tyr-api/src/main/java/cn/axzo/tyr/client/feign/TyrSaasRoleUserApi.java

@@ -1,12 +1,11 @@
 package cn.axzo.tyr.client.feign;
 
-import cn.axzo.basics.common.page.PageRequest;
 import cn.axzo.framework.domain.web.result.ApiPageResult;
 import cn.axzo.framework.domain.web.result.ApiResult;
+import cn.axzo.tyr.client.model.roleuser.dto.GetUserAutoOwnRoleResp;
 import cn.axzo.tyr.client.model.roleuser.dto.SaasRoleUserDTO;
 import cn.axzo.tyr.client.model.roleuser.dto.SuperAminInfoResp;
 import cn.axzo.tyr.client.model.roleuser.req.*;
-import cn.azxo.framework.common.model.CommonResponse;
 import org.springframework.cloud.openfeign.FeignClient;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
@@ -103,4 +102,15 @@ public interface TyrSaasRoleUserApi {
     @PostMapping("/api/saas-role-user/get-special-role")
     ApiResult<List<Long>> getSpecialRole();
 
+    /**
+     * 保存/更新 用户自定义权限，每次传入新的featureIds都会覆盖原来的所有featureIds
+     */
+    @PostMapping("/api/saas-role-user/save-or-update-auto-own-role")
+    ApiResult<Void> saveOrUpdateAutoOwnRole(@RequestBody  @Valid AutoOwnRoleUserReq req);
+
+    /**
+     * 查询用户自定义角色和权限
+     */
+    @PostMapping("/api/saas-role-user/get-auto-own-role")
+    ApiResult<GetUserAutoOwnRoleResp> getUserAutoOwnRole(@RequestBody  @Valid GetUserAutoOwnRoleReq req);
 }

tyr-api/src/main/java/cn/axzo/tyr/client/model/base/BaseFeatureResourceDO.java

@@ -0,0 +1,35 @@
+package cn.axzo.tyr.client.model.base;
+
+import lombok.AllArgsConstructor;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+import lombok.experimental.SuperBuilder;
+
+@Data
+@SuperBuilder
+@NoArgsConstructor
+@AllArgsConstructor
+public class BaseFeatureResourceDO {
+    /**
+     * 资源ID 新增时为null，编辑时必传
+     **/
+    private Long id;
+
+    /** 上级资源ID **/
+    private Long parentId;
+
+    /** 资源名称 **/
+    private String featureName;
+
+    /** 资源类型 1-菜单 2-页面 3-应用入口 4-组件 **/
+    private Integer featureType;
+
+    /** 资源编码 **/
+    private String featureCode;
+
+    /** 状态 0-隐藏 1-显示 **/
+    private Integer status;
+
+    /** 图标 **/
+    private String icon;
+}

tyr-api/src/main/java/cn/axzo/tyr/client/model/req/FeatureComponentSaveReq.java

@@ -0,0 +1,17 @@
+package cn.axzo.tyr.client.model.req;
+
+import cn.axzo.tyr.client.model.base.BaseFeatureResourceDO;
+
+import java.util.List;
+
+public class FeatureComponentSaveReq extends BaseFeatureResourceDO {
+
+    /** 子级是否需要鉴权 0-不鉴权 1-鉴权 **/
+    private Integer subAuthType;
+
+    /** 路由地址 **/
+    private String linkUrl;
+
+    /** 子级组件 **/
+    private List<FeatureComponentSaveReq> children;
+}

tyr-api/src/main/java/cn/axzo/tyr/client/model/req/FeatureResourceTreeQuery.java

@@ -0,0 +1,22 @@
+package cn.axzo.tyr.client.model.req;
+
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+
+@Data
+@Builder
+@NoArgsConstructor
+@AllArgsConstructor
+public class FeatureResourceTreeQuery {
+
+    /** 查询搜索关键字 **/
+    private String keyword;
+
+    /** 端 **/
+    private String terminal;
+
+    /** 展示状态 默认不传返回全部 0-隐藏 1-显示 **/
+    private Integer status;
+}

tyr-api/src/main/java/cn/axzo/tyr/client/model/req/FeatureResourceTreeSaveReq.java

@@ -0,0 +1,58 @@
+package cn.axzo.tyr.client.model.req;
+
+import cn.axzo.tyr.client.model.base.BaseFeatureResourceDO;
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+import lombok.experimental.SuperBuilder;
+
+import java.util.List;
+
+@Data
+@SuperBuilder
+@NoArgsConstructor
+@AllArgsConstructor
+public class FeatureResourceTreeSaveReq extends BaseFeatureResourceDO {
+
+    /** 跳转类型 1-站内跳转 2-站外跳转 **/
+    private Integer redirectType;
+
+    /** 路由地址 **/
+    private String linkUrl;
+
+    /** 路由类型 1-PC 2-小程序 3-原生 **/
+    private Integer linkType;
+
+    /** APP适配参数 **/
+    private String linkExt;
+
+    /** 小程序ID **/
+    private Long appItemId;
+
+    /** 授权类型 0-全部角色 1-指定角色 **/
+    private Integer authType;
+
+    /** 页面组件对象 **/
+    private List<FeatureComponentSaveReq> componentSaveReqList;
+
+    /** 页面及组件权限对象 **/
+    private List<RolePermissionSaveReq> permissions;
+
+    @Data
+    @Builder
+    @AllArgsConstructor
+    @NoArgsConstructor
+    public static class RolePermissionSaveReq {
+
+        /**
+         * 角色ID
+         **/
+        private Long roleId;
+
+        /**
+         * 资源编码
+         **/
+        private List<String> featureCode;
+    }
+}

tyr-api/src/main/java/cn/axzo/tyr/client/model/res/CommonDictResp.java

@@ -14,7 +14,6 @@ import lombok.NoArgsConstructor;
  */
 @Data
 @Builder
-@NoArgsConstructor
 @AllArgsConstructor
 public class CommonDictResp {
 

tyr-api/src/main/java/cn/axzo/tyr/client/model/roleuser/dto/GetUserAutoOwnRoleResp.java

@@ -0,0 +1,32 @@
+package cn.axzo.tyr.client.model.roleuser.dto;
+
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+
+import java.util.List;
+
+/**
+ * @author likunpeng
+ * @version 1.0
+ * @date 2024/4/3
+ */
+@Data
+@Builder
+@AllArgsConstructor
+@NoArgsConstructor
+public class GetUserAutoOwnRoleResp {
+
+    public static final GetUserAutoOwnRoleResp EMPTY = GetUserAutoOwnRoleResp.builder().build();
+
+    /**
+     * 角色ID
+     */
+    private Long roleId;
+
+    /**
+     * 资源ID列表
+     */
+    private List<Long> featureIds;
+}

tyr-api/src/main/java/cn/axzo/tyr/client/model/roleuser/req/AutoOwnRoleUserReq.java

@@ -0,0 +1,69 @@
+package cn.axzo.tyr.client.model.roleuser.req;
+
+import cn.axzo.tyr.client.model.enums.IdentityType;
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+
+import javax.validation.constraints.NotNull;
+import java.util.Set;
+
+
+/**
+ * @author likunpeng
+ * @date 2024/4/2
+ */
+@Data
+@Builder
+@AllArgsConstructor
+@NoArgsConstructor
+public class AutoOwnRoleUserReq {
+
+    /**
+     * 工作台id
+     */
+    @NotNull
+    private Long workspaceId;
+
+    /**
+     * 单位id
+     */
+    @NotNull
+    private Long ouId;
+
+    /**
+     * 身份id
+     */
+    @NotNull
+    private Long identityId;
+
+    /**
+     * 自然人id
+     */
+    @NotNull
+    private Long personId;
+
+    /**
+     * 身份类型
+     */
+    @NotNull
+    private IdentityType identityType;
+
+    /**
+     * 操作人
+     */
+    @NotNull
+    private Long operatorId;
+
+    /**
+     * 自定义角色ID
+     */
+    @NotNull
+    private Long roleId;
+
+    /**
+     * 资源ID列表
+     */
+    private Set<Long> featureIds;
+}

tyr-api/src/main/java/cn/axzo/tyr/client/model/roleuser/req/GetUserAutoOwnRoleReq.java

@@ -0,0 +1,38 @@
+package cn.axzo.tyr.client.model.roleuser.req;
+
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+
+import javax.validation.constraints.NotNull;
+
+
+/**
+ * @author likunpeng
+ * @date 2024/4/2
+ */
+@Data
+@Builder
+@AllArgsConstructor
+@NoArgsConstructor
+public class GetUserAutoOwnRoleReq {
+
+    /**
+     * 工作台id
+     */
+    @NotNull
+    private Long workspaceId;
+
+    /**
+     * 单位id
+     */
+    @NotNull
+    private Long ouId;
+
+    /**
+     * 自然人id
+     */
+    @NotNull
+    private Long personId;
+}

tyr-server/src/main/java/cn/axzo/tyr/server/controller/permission/FeatureResourceController.java

@@ -3,6 +3,7 @@ package cn.axzo.tyr.server.controller.permission;
 import cn.axzo.framework.domain.web.result.ApiResult;
 import cn.axzo.tyr.client.feign.FeatureResourceApi;
 import cn.axzo.tyr.client.model.req.ResourceSyncReq;
+import cn.axzo.tyr.client.model.req.FeatureResourceTreeSaveReq;
 import cn.axzo.tyr.client.model.res.FeatureResourceDTO;
 import cn.axzo.tyr.client.model.res.FeatureResourceTreeNode;
 import cn.axzo.tyr.server.service.SaasFeatureResourceService;
@@ -44,4 +45,10 @@ public class FeatureResourceController implements FeatureResourceApi {
         featureResourceService.syncFromBase(req);
         return ApiResult.ok();
     }
+
+    @Override
+    public ApiResult<Void> saveMenu(FeatureResourceTreeSaveReq req) {
+        log.info("save feature resouce req : " + req.toString());
+        return ApiResult.ok();
+    }
 }

tyr-server/src/main/java/cn/axzo/tyr/server/controller/roleuser/RoleUserController.java

@@ -6,6 +6,7 @@ import cn.axzo.framework.domain.web.result.ApiResult;
 import cn.axzo.pokonyan.config.mybatisplus.BaseEntity;
 import cn.axzo.tyr.client.feign.TyrSaasRoleUserApi;
 import cn.axzo.tyr.client.model.enums.IdentityType;
+import cn.axzo.tyr.client.model.roleuser.dto.GetUserAutoOwnRoleResp;
 import cn.axzo.tyr.client.model.roleuser.dto.SaasRoleUserDTO;
 import cn.axzo.tyr.client.model.roleuser.dto.SuperAminInfoResp;
 import cn.axzo.tyr.client.model.roleuser.req.*;
@@ -148,4 +149,15 @@ public class RoleUserController implements TyrSaasRoleUserApi {
     public ApiPageResult<SaasRoleUserDTO> pageQuery(RoleUserParam param) {
         return ApiPageResult.ok(saasRoleUserRelationService.pageQuery(param));
     }
+
+    @Override
+    public ApiResult<Void> saveOrUpdateAutoOwnRole(AutoOwnRoleUserReq req) {
+        saasRoleUserService.saveOrUpdateAutoOwnRole(req);
+        return ApiResult.ok();
+    }
+
+    @Override
+    public ApiResult<GetUserAutoOwnRoleResp> getUserAutoOwnRole(GetUserAutoOwnRoleReq req) {
+        return ApiResult.ok(saasRoleUserService.getUserAutoOwnRole(req));
+    }
 }

tyr-server/src/main/java/cn/axzo/tyr/server/service/SaasRoleUserService.java

@@ -1,6 +1,7 @@
 package cn.axzo.tyr.server.service;
 
 import cn.axzo.tyr.client.model.enums.IdentityType;
+import cn.axzo.tyr.client.model.roleuser.dto.GetUserAutoOwnRoleResp;
 import cn.axzo.tyr.client.model.roleuser.dto.SuperAminInfoResp;
 import cn.axzo.tyr.client.model.roleuser.req.*;
 import cn.axzo.tyr.server.repository.entity.SaasRoleUserRelation;
@@ -84,4 +85,16 @@ public interface SaasRoleUserService {
      */
     void grantOrUngrantWorkerManager(WorkerManagerRoleUserReq req);
 
+    /**
+     * 保存/更新 用户自定义角色权限
+     * @param req
+     */
+    void saveOrUpdateAutoOwnRole(AutoOwnRoleUserReq req);
+
+    /**
+     *  查询用户自定义角色和权限
+     * @param req
+     * @return
+     */
+    GetUserAutoOwnRoleResp getUserAutoOwnRole(GetUserAutoOwnRoleReq req);
 }

tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/RoleUserService.java

@@ -11,32 +11,24 @@ import cn.axzo.tyr.client.model.BaseWorkspaceModel;
 import cn.axzo.tyr.client.model.enums.DictWorkSpaceTypeEnum;
 import cn.axzo.tyr.client.model.enums.IdentityType;
 import cn.axzo.tyr.client.model.enums.WorkerLeaderRoleEnum;
+import cn.axzo.tyr.client.model.roleuser.dto.GetUserAutoOwnRoleResp;
 import cn.axzo.tyr.client.model.roleuser.dto.IdentityInfo;
 import cn.axzo.tyr.client.model.roleuser.dto.SuperAminInfoResp;
-import cn.axzo.tyr.client.model.roleuser.req.CreateSuperAdminRoleParam;
-import cn.axzo.tyr.client.model.roleuser.req.GantOrUnGantaWorkerLeaderRoleReq;
-import cn.axzo.tyr.client.model.roleuser.req.RoleUserReq;
-import cn.axzo.tyr.client.model.roleuser.req.SuperAdminParam;
-import cn.axzo.tyr.client.model.roleuser.req.WorkerManagerRoleUserReq;
+import cn.axzo.tyr.client.model.roleuser.req.*;
 import cn.axzo.tyr.client.model.vo.SaasRoleGroupVO;
 import cn.axzo.tyr.server.model.RoleUserInfo;
-import cn.axzo.tyr.server.repository.dao.RemoveRoleUserByResource;
-import cn.axzo.tyr.server.repository.dao.SaasPgroupRoleRelationDao;
-import cn.axzo.tyr.server.repository.dao.SaasRoleDao;
-import cn.axzo.tyr.server.repository.dao.SaasRoleGroupRelationDao;
-import cn.axzo.tyr.server.repository.dao.SaasRoleUserRelationDao;
-import cn.axzo.tyr.server.repository.entity.SaasPgroupRoleRelation;
-import cn.axzo.tyr.server.repository.entity.SaasRole;
-import cn.axzo.tyr.server.repository.entity.SaasRoleGroupRelation;
-import cn.axzo.tyr.server.repository.entity.SaasRoleUserRelation;
+import cn.axzo.tyr.server.repository.dao.*;
+import cn.axzo.tyr.server.repository.entity.*;
 import cn.axzo.tyr.server.service.SaasRoleGroupService;
 import cn.axzo.tyr.server.service.SaasRoleUserService;
 import cn.hutool.core.collection.CollectionUtil;
 import cn.hutool.core.util.StrUtil;
+import cn.hutool.json.JSONUtil;
 import com.alibaba.nacos.common.utils.CollectionUtils;
 import com.baomidou.mybatisplus.core.conditions.query.LambdaQueryWrapper;
 import com.baomidou.mybatisplus.extension.conditions.query.LambdaQueryChainWrapper;
 import com.google.common.collect.Lists;
+import com.google.common.collect.Sets;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Value;
@@ -65,6 +57,7 @@ public class RoleUserService implements SaasRoleUserService {
     private final SaasPgroupRoleRelationDao saasPgroupRoleRelationDao;
     private final SaasRoleGroupService saasRoleGroupService;
     private final SaasRoleGroupRelationDao saasRoleGroupRelationDao;
+    private final SaasPgroupPermissionRelationDao saasPgroupPermissionRelationDao;
 
     // 单位类型默认角色关系,后面可以座位管理员的逻辑进行迭代
     @Value("#{${participateUnitDefaultRoleId:{}}}")
@@ -103,14 +96,18 @@ public class RoleUserService implements SaasRoleUserService {
 
         // 查询用户所有角色
         List<SaasRoleUserRelation> existsRoleUser = roleUserRelationDao.query(req.getIdentityId(), req.getIdentityType().getCode(), req.getWorkspaceId(), req.getOuId());
-        // 当前用户非超管的角色
-        List<Long> notAdminRole = Collections.emptyList();
+        // 当前用户非超管、自定义的角色
+        List<Long> notAdminAndAutoOwnRole = Collections.emptyList();
         if (CollectionUtils.isNotEmpty(existsRoleUser)) {
             List<SaasRole> existsRole = saasRoleDao.listByIds(existsRoleUser.stream().mapToLong(SaasRoleUserRelation::getRoleId).boxed().collect(Collectors.toList()));
             // 管理员角色
             List<Long> adminRole = existsRole.stream().filter(e -> RoleTypeEnum.getRoleType(e.getRoleType()).isAdminRole()).mapToLong(SaasRole::getId).boxed().collect(Collectors.toList());
-            // 排除管理员角色(普通角色) 这里用过滤的方式，是为了防止脏数据产生(saas_role_user_relation表有用户数据但是角色表已经被删除)
-            notAdminRole = existsRoleUser.stream().mapToLong(SaasRoleUserRelation::getRoleId).boxed().filter(roleId -> !adminRole.contains(roleId)).collect(Collectors.toList());
+            // 自定义角色
+            Long autoOwnRole = existsRole.stream().filter(e -> RoleTypeEnum.AUTO_OWN.equals(RoleTypeEnum.getRoleType(e.getRoleType()))).findFirst().map(SaasRole::getId).orElse(0L);
+            log.info("personId:{} autoOwnRole:{} adminRole:{}", req.getPersonId(), autoOwnRole, JSONUtil.toJsonStr(adminRole));
+            // 排除管理员角色、自定义角色(普通角色) 这里用过滤的方式，是为了防止脏数据产生(saas_role_user_relation表有用户数据但是角色表已经被删除)
+            notAdminAndAutoOwnRole = existsRoleUser.stream().mapToLong(SaasRoleUserRelation::getRoleId).boxed().filter(roleId -> !adminRole.contains(roleId))
+                    .filter(roleId -> !autoOwnRole.equals(roleId)).collect(Collectors.toList());
         }
         BaseWorkspaceModel workspaceModel = BaseWorkspaceModel.builder()
                 .workspaceId(req.getWorkspaceId()).ouId(req.getOuId())
@@ -118,20 +115,20 @@ public class RoleUserService implements SaasRoleUserService {
                 .build();
 
         // 删除现有非管理员的角色
-        if (CollectionUtils.isNotEmpty(notAdminRole)) {
+        if (CollectionUtils.isNotEmpty(notAdminAndAutoOwnRole)) {
             //如果该接口支持 权限回收，那么参数UpdateRoleIds就是待删除的权限合集
             if (req.isRecycleModel()) {
-                notAdminRole.clear();
+                notAdminAndAutoOwnRole.clear();
                 //回收角色权限,只移除用户传参的权限
-                notAdminRole.addAll(req.getUpdateRoleIds());
-                roleUserRelationDao.deleteByUser(workspaceModel, notAdminRole);
+                notAdminAndAutoOwnRole.addAll(req.getUpdateRoleIds());
+                roleUserRelationDao.deleteByUser(workspaceModel, notAdminAndAutoOwnRole);
                 return;
             }
-            roleUserRelationDao.deleteByUser(workspaceModel, notAdminRole);
+            roleUserRelationDao.deleteByUser(workspaceModel, notAdminAndAutoOwnRole);
         }
         if(req.isMergeExistsRoles()){
             //合并新的角色和老的角色
-            updateRoleIds.addAll(notAdminRole);
+            updateRoleIds.addAll(notAdminAndAutoOwnRole);
         }
         // 清空所有角色
         if (CollectionUtil.isEmpty(updateRoleIds)) {
@@ -144,7 +141,6 @@ public class RoleUserService implements SaasRoleUserService {
             saasRoleUserRelation.setIdentityType(req.getIdentityType().getCode());
             saasRoleUserRelation.setRoleId(e);
             saasRoleUserRelation.setNaturalPersonId(req.getPersonId());
-            saasRoleUserRelation.setNaturalPersonId(req.getPersonId());
             saasRoleUserRelation.setOuId(req.getOuId());
             saasRoleUserRelation.setWorkspaceId(req.getWorkspaceId());
             return saasRoleUserRelation;
@@ -430,6 +426,88 @@ public class RoleUserService implements SaasRoleUserService {
 
     }
 
+    @Override
+    @Transactional(rollbackFor = Exception.class)
+    public void saveOrUpdateAutoOwnRole(AutoOwnRoleUserReq req) {
+        SaasRole role = saasRoleDao.getById(req.getRoleId());
+        AssertUtil.notNull(role, "未配置自定义角色");
+        AssertUtil.isTrue(RoleTypeEnum.AUTO_OWN.equals(RoleTypeEnum.getRoleType(role.getRoleType())), "未配置自定义角色");
+        // 查询用户已存在角色
+        List<SaasRoleUserRelation> existsRoleUser = roleUserRelationDao.queryByPersonId(req.getPersonId(), req.getWorkspaceId(), req.getOuId());
+        Long autoOwnRoleId = null;
+        if (CollectionUtils.isNotEmpty(existsRoleUser)) {
+            List<Long> autoOwnRoles = existsRoleUser.stream().filter(e -> role.getId().equals(e.getRoleId())).mapToLong(SaasRoleUserRelation::getRoleId).boxed().collect(Collectors.toList());
+            if (CollectionUtils.isNotEmpty(autoOwnRoles) && autoOwnRoles.size() > 1) {
+                log.warn("personId:{} ouId:{} workspaceId:{} has {} auto_own roles", req.getPersonId(), req.getOuId(), req.getWorkspaceId(), autoOwnRoles.size());
+            }
+            autoOwnRoleId = autoOwnRoles.get(0);
+        }
+
+        if (Objects.isNull(autoOwnRoleId)) {
+            SaasRoleUserRelation saasRoleUserRelation = new SaasRoleUserRelation();
+            saasRoleUserRelation.setIdentityId(req.getIdentityId());
+            saasRoleUserRelation.setIdentityType(req.getIdentityType().getCode());
+            saasRoleUserRelation.setRoleId(role.getId());
+            saasRoleUserRelation.setNaturalPersonId(req.getPersonId());
+            saasRoleUserRelation.setOuId(req.getOuId());
+            saasRoleUserRelation.setWorkspaceId(req.getWorkspaceId());
+            roleUserRelationDao.save(saasRoleUserRelation);
+        }
+
+        List<SaasPgroupRoleRelation> saasPgroupRoleRelations = saasPgroupRoleRelationDao.findByRoleIds(Sets.newHashSet(role.getId()));
+        AssertUtil.notEmpty(saasPgroupRoleRelations, "角色权限集不存在");
+
+        Long permissionGroupId = saasPgroupRoleRelations.get(0).getGroupId();
+        List<SaasPgroupPermissionRelation> saasPgroupPermissionRelations = saasPgroupPermissionRelationDao.lambdaQuery()
+                .eq(SaasPgroupPermissionRelation::getGroupId, permissionGroupId).eq(SaasPgroupPermissionRelation::getIsDelete, TableIsDeleteEnum.NORMAL.value).list();
+
+        // 新增是以featureIds维度新增，删除是以SaasPgroupPermissionRelation的id维度删除
+        Set<Long> insertFeatureIds = getInsertFeatureIds(req.getFeatureIds(), saasPgroupPermissionRelations);
+        Set<Long> deleteIds = getDeleteIds(req.getFeatureIds(), saasPgroupPermissionRelations);
+        if (CollectionUtils.isNotEmpty(insertFeatureIds)) {
+            saasPgroupPermissionRelationDao.saveBatch(insertFeatureIds.stream().map(e -> {
+                SaasPgroupPermissionRelation relation = new SaasPgroupPermissionRelation();
+                relation.setGroupId(permissionGroupId);
+                relation.setFeatureId(e);
+                relation.setCreateBy(req.getOperatorId());
+                relation.setUpdateBy(req.getOperatorId());
+                return relation;
+            }).collect(Collectors.toList()));
+        }
+        if (CollectionUtils.isNotEmpty(deleteIds)) {
+            saasPgroupPermissionRelationDao.removeByIds(deleteIds);
+        }
+    }
+
+    @Override
+    public GetUserAutoOwnRoleResp getUserAutoOwnRole(GetUserAutoOwnRoleReq req) {
+        // 查询用户所有角色
+        List<SaasRoleUserRelation> existsRoleUser = roleUserRelationDao.queryByPersonId(req.getPersonId(), req.getWorkspaceId(), req.getOuId());
+        if (CollectionUtils.isEmpty(existsRoleUser)) {
+            return GetUserAutoOwnRoleResp.EMPTY;
+        }
+        List<SaasRole> existsAutoOwnRoles = saasRoleDao.listByIds(existsRoleUser.stream().mapToLong(SaasRoleUserRelation::getRoleId).boxed().collect(Collectors.toList()))
+                .stream().filter(e -> RoleTypeEnum.AUTO_OWN.equals(RoleTypeEnum.getRoleType(e.getRoleType()))).collect(Collectors.toList());
+        if (CollectionUtils.isEmpty(existsAutoOwnRoles)) {
+            log.info("personId:{} ouId:{} workspaceId:{} has not auto_own roles", req.getPersonId(), req.getOuId(), req.getWorkspaceId());
+            return GetUserAutoOwnRoleResp.EMPTY;
+        }
+
+        List<SaasPgroupRoleRelation> saasPgroupRoleRelations = saasPgroupRoleRelationDao.findByRoleIds(Sets.newHashSet(existsAutoOwnRoles.get(0).getId()));
+        if (CollectionUtils.isEmpty(saasPgroupRoleRelations)) {
+            return GetUserAutoOwnRoleResp.EMPTY;
+        }
+
+        List<SaasPgroupPermissionRelation> saasPgroupPermissionRelations = saasPgroupPermissionRelationDao.lambdaQuery()
+                .eq(SaasPgroupPermissionRelation::getGroupId, saasPgroupRoleRelations.get(0).getGroupId())
+                .eq(SaasPgroupPermissionRelation::getIsDelete, TableIsDeleteEnum.NORMAL.value).list();
+
+        return CollectionUtils.isEmpty(saasPgroupPermissionRelations) ?  GetUserAutoOwnRoleResp.EMPTY : GetUserAutoOwnRoleResp.builder()
+                .roleId(existsAutoOwnRoles.get(0).getId())
+                .featureIds(saasPgroupPermissionRelations.stream().map(SaasPgroupPermissionRelation::getFeatureId).collect(Collectors.toList()))
+                .build();
+    }
+
     private void batchRemoveByRoleUserInfo(RoleUserInfo roleUserBaseInfo) {
         roleUserBaseInfo.getRoleUserResourceInfos().forEach(e -> {
 
@@ -445,4 +523,25 @@ public class RoleUserService implements SaasRoleUserService {
         });
     }
 
+    private Set<Long> getInsertFeatureIds(Set<Long> featureIds, List<SaasPgroupPermissionRelation> existsPgroupPermissionRelations) {
+        if (CollectionUtils.isEmpty(featureIds)) {
+            return Collections.emptySet();
+        }
+
+        if (CollectionUtils.isEmpty(existsPgroupPermissionRelations)) {
+            return featureIds;
+        }
+        Set<Long> existsFeatureIds = existsPgroupPermissionRelations.stream().map(SaasPgroupPermissionRelation::getFeatureId).collect(Collectors.toSet());
+        return featureIds.stream().filter(e -> !existsFeatureIds.contains(e)).collect(Collectors.toSet());
+    }
+
+    private Set<Long> getDeleteIds(Set<Long> featureIds, List<SaasPgroupPermissionRelation> existsPgroupPermissionRelations) {
+        if (CollectionUtils.isEmpty(existsPgroupPermissionRelations)) {
+            return Collections.emptySet();
+        }
+        if (CollectionUtils.isEmpty(featureIds)) {
+            return existsPgroupPermissionRelations.stream().map(SaasPgroupPermissionRelation::getId).collect(Collectors.toSet());
+        }
+        return existsPgroupPermissionRelations.stream().filter(e -> !featureIds.contains(e.getFeatureId())).map(SaasPgroupPermissionRelation::getId).collect(Collectors.toSet());
+    }
 }