diff --git a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/RoleUserService.java b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/RoleUserService.java
index 3fea7c67..ac897c62 100644
--- a/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/RoleUserService.java
+++ b/tyr-server/src/main/java/cn/axzo/tyr/server/service/impl/RoleUserService.java
@@ -1,9 +1,18 @@
 package cn.axzo.tyr.server.service.impl;
 
+import cn.axzo.apollo.workspace.api.workspace.WorkspaceConfigApi;
+import cn.axzo.apollo.workspace.api.workspace.res.WorkspaceConfigInfo;
 import cn.axzo.basics.common.BeanMapper;
 import cn.axzo.basics.common.constant.enums.TableIsDeleteEnum;
 import cn.axzo.basics.common.exception.ServiceException;
 import cn.axzo.basics.common.util.AssertUtil;
+import cn.axzo.framework.domain.web.result.ApiResult;
+import cn.axzo.maokai.api.client.OrgJobApi;
+import cn.axzo.maokai.api.client.OrganizationalNodeUserQueryApi;
+import cn.axzo.maokai.api.vo.request.OrgJobListReq;
+import cn.axzo.maokai.api.vo.request.PersonJobAndDepartmentListReq;
+import cn.axzo.maokai.api.vo.response.OrgJobRes;
+import cn.axzo.maokai.api.vo.response.PersonJobAndDepartmentResp;
 import cn.axzo.pokonyan.config.mybatisplus.BaseEntity;
 import cn.axzo.pokonyan.util.KeysUtil;
 import cn.axzo.tyr.client.common.enums.RoleResourceTypeEnum;
@@ -16,6 +25,7 @@ import cn.axzo.tyr.client.model.roleuser.RoleUserUpdateReq;
 import cn.axzo.tyr.client.model.roleuser.dto.GetUserAutoOwnRoleResp;
 import cn.axzo.tyr.client.model.roleuser.dto.GetUserFeatureResourceIdsResp;
 import cn.axzo.tyr.client.model.roleuser.dto.IdentityInfo;
+import cn.axzo.tyr.client.model.roleuser.dto.SaasRoleUserDTO;
 import cn.axzo.tyr.client.model.roleuser.dto.SaasRoleUserV2DTO;
 import cn.axzo.tyr.client.model.roleuser.dto.SuperAminInfoResp;
 import cn.axzo.tyr.client.model.roleuser.req.AutoOwnRoleUserReq;
@@ -43,6 +53,7 @@ import cn.axzo.tyr.server.repository.entity.SaasRoleUserRelation;
 import cn.axzo.tyr.server.service.SaasRoleGroupService;
 import cn.axzo.tyr.server.service.SaasRoleUserRelationService;
 import cn.axzo.tyr.server.service.SaasRoleUserService;
+import cn.axzo.tyr.server.utils.RpcExternalUtil;
 import cn.hutool.core.collection.CollectionUtil;
 import cn.hutool.core.util.StrUtil;
 import cn.hutool.json.JSONUtil;
@@ -60,12 +71,14 @@ import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
 import java.util.Set;
+import java.util.function.Supplier;
 import java.util.stream.Collectors;
 
 /**
@@ -88,6 +101,9 @@ public class RoleUserService implements SaasRoleUserService {
     private final SaasRoleGroupRelationDao saasRoleGroupRelationDao;
     private final SaasPgroupPermissionRelationDao saasPgroupPermissionRelationDao;
     private final SaasRoleUserRelationService saasRoleUserRelationService;
+    private final OrgJobApi orgJobApi;
+    private final WorkspaceConfigApi workspaceConfigApi;
+    private final OrganizationalNodeUserQueryApi organizationalNodeUserQueryApi;
 
     // 单位类型默认角色关系,后面可以座位管理员的逻辑进行迭代
     @Value("#{${participateUnitDefaultRoleId:{}}}")
@@ -113,11 +129,65 @@ public class RoleUserService implements SaasRoleUserService {
 		}
 	}
 
+    /**
+     * 先写死，后面做规则引擎
+     * @param req
+     */
+    private void checkJobRole(RoleUserReq req) {
+
+        if (CollectionUtils.isEmpty(req.getUpdateRoleIds())) {
+            return;
+        }
+        WorkspaceConfigInfo workspaceConfigInfo = RpcExternalUtil.rpcApolloProcessor(() -> workspaceConfigApi.getByWorkspaceId(req.getWorkspaceId()),
+                "查询租户配置信息", req.getWorkspaceId());
+
+        if (Objects.isNull(workspaceConfigInfo) || Objects.equals(workspaceConfigInfo.getCreateUserRoleLimit(), 0)) {
+            return;
+        }
+
+        PersonJobAndDepartmentListReq personJobAndDepartmentListReq = PersonJobAndDepartmentListReq.builder()
+                .workspaceId(req.getWorkspaceId())
+                .ouId(req.getOuId())
+                .personIds(Lists.newArrayList(req.getPersonId()))
+                .build();
+        String rpcMethod = "organizationalNodeUserApi#listJobAndDepartments";
+        Supplier<ApiResult<List<PersonJobAndDepartmentResp>>> rpcSupplier = () -> organizationalNodeUserQueryApi.listJobAndDepartments(personJobAndDepartmentListReq);
+        List<Long> personJobIds = RpcExternalUtil.rpcApiResultProcessor(rpcSupplier, rpcMethod, req)
+                .stream()
+                .filter(e -> Objects.nonNull(e.getJob()))
+                .map(e -> e.getJob().getId())
+                .distinct()
+                .collect(Collectors.toList());
+        if (CollectionUtils.isEmpty(personJobIds)) {
+            return;
+        }
+
+        Set<Long> excludeRoleIds = RpcExternalUtil.rpcApiResultProcessor(() -> orgJobApi.list(OrgJobListReq.builder()
+                .jobIdList(personJobIds)
+                .build()), "查询岗位角色限制配置", personJobIds)
+                .stream()
+                .map(OrgJobRes::getExcludeRoleIds)
+                .flatMap(Collection::stream)
+                .collect(Collectors.toSet());
+
+
+        if (CollectionUtils.isEmpty(excludeRoleIds)) {
+            return;
+        }
+
+        Sets.SetView<Long> intersection = Sets.intersection(req.getUpdateRoleIds(), excludeRoleIds);
+
+        if (!intersection.isEmpty()) {
+            throw new ServiceException("不能勾选岗位的不可选角色");
+        }
+    }
 
 	@Override
 	@Transactional(rollbackFor = Exception.class)
 	public void saveOrUpdate(RoleUserReq req) {
 
+        checkJobRole(req);
+
         Set<Long> updateRoleIds = req.getUpdateRoleIds();
         // 角色校验(不能将角色修改为管理员角色)
         if (CollectionUtils.isNotEmpty(updateRoleIds)) {
diff --git a/tyr-server/src/main/java/cn/axzo/tyr/server/utils/RpcExternalUtil.java b/tyr-server/src/main/java/cn/axzo/tyr/server/utils/RpcExternalUtil.java
index dad2c9a0..92bbfb0f 100644
--- a/tyr-server/src/main/java/cn/axzo/tyr/server/utils/RpcExternalUtil.java
+++ b/tyr-server/src/main/java/cn/axzo/tyr/server/utils/RpcExternalUtil.java
@@ -1,7 +1,9 @@
 package cn.axzo.tyr.server.utils;
 
+import cn.axzo.apollo.core.web.Result;
 import cn.axzo.basics.common.util.AssertUtil;
 import cn.axzo.framework.domain.ServiceException;
+import cn.axzo.framework.domain.web.result.ApiListResult;
 import cn.axzo.framework.domain.web.result.ApiResult;
 import cn.azxo.framework.common.model.CommonResponse;
 import cn.hutool.core.date.StopWatch;
@@ -10,6 +12,7 @@ import cn.hutool.http.HttpStatus;
 import cn.hutool.json.JSONUtil;
 import lombok.extern.slf4j.Slf4j;
 
+import java.util.List;
 import java.util.concurrent.TimeUnit;
 import java.util.function.Consumer;
 import java.util.function.Supplier;
@@ -65,4 +68,12 @@ public class RpcExternalUtil {
         return r;
     }
 
+    public static <T> T rpcApolloProcessor(Supplier<Result<T>> supplier, String operationType, Object... param) {
+        log.info(operationType + "-Param: " + JSONUtil.toJsonStr(param));
+        Result<T> result = printLatency(supplier,operationType);
+        log.info(operationType + "-Result: " + JSONUtil.toJsonStr(result));
+        Assert.notNull(result, "服务调用异常");
+        Assert.isTrue(result.getCode() == 200, "服务调用异常:" + result.getMsg());
+        return result.getData();
+    }
 }