diff --git a/yudao-admin-server/src/main/java/cn/iocoder/yudao/adminserver/modules/bpm/controller/definition/BpmDefinitionController.java b/yudao-admin-server/src/main/java/cn/iocoder/yudao/adminserver/modules/bpm/controller/definition/BpmDefinitionController.java
index 39d628c82..097004878 100644
--- a/yudao-admin-server/src/main/java/cn/iocoder/yudao/adminserver/modules/bpm/controller/definition/BpmDefinitionController.java
+++ b/yudao-admin-server/src/main/java/cn/iocoder/yudao/adminserver/modules/bpm/controller/definition/BpmDefinitionController.java
@@ -8,6 +8,7 @@ import cn.iocoder.yudao.framework.common.pojo.PageResult;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiImplicitParam;
 import io.swagger.annotations.ApiOperation;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -27,10 +28,9 @@ public class BpmDefinitionController {
     @Resource
     private BpmDefinitionService bpmDefinitionService;
 
-    // TODO 芋艿：权限
-
     @GetMapping ("/page")
     @ApiOperation(value = "获得流程定义分页")
+    @PreAuthorize("@ss.hasPermission('bpm:model:query')") // 暂时使用 model 的权限标识
     public CommonResult<PageResult<BpmProcessDefinitionPageItemRespVO>> getDefinitionPage(BpmProcessDefinitionPageReqVO pageReqVO) {
         return success(bpmDefinitionService.getDefinitionPage(pageReqVO));
     }
@@ -48,6 +48,7 @@ public class BpmDefinitionController {
     @GetMapping ("/get-bpmn-xml")
     @ApiOperation(value = "获得流程定义的 BPMN XML")
     @ApiImplicitParam(name = "id", value = "编号", required = true, example = "1024", dataTypeClass = String.class)
+    @PreAuthorize("@ss.hasPermission('bpm:model:query')") // 暂时使用 model 的权限标识
     public CommonResult<String> getDefinitionBpmnXML(@RequestParam("id") String id) {
         String bpmnXML = bpmDefinitionService.getDefinitionBpmnXML(id);
         return success(bpmnXML);
diff --git a/yudao-admin-server/src/main/java/cn/iocoder/yudao/adminserver/modules/bpm/controller/model/BpmModelController.java b/yudao-admin-server/src/main/java/cn/iocoder/yudao/adminserver/modules/bpm/controller/model/BpmModelController.java
index d4fe10624..9da0a7166 100644
--- a/yudao-admin-server/src/main/java/cn/iocoder/yudao/adminserver/modules/bpm/controller/model/BpmModelController.java
+++ b/yudao-admin-server/src/main/java/cn/iocoder/yudao/adminserver/modules/bpm/controller/model/BpmModelController.java
@@ -9,10 +9,12 @@ import cn.iocoder.yudao.framework.common.util.io.IoUtils;
 import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiImplicitParam;
 import io.swagger.annotations.ApiOperation;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.*;
 
 import javax.annotation.Resource;
+import javax.validation.Valid;
 import java.io.IOException;
 
 import static cn.iocoder.yudao.framework.common.pojo.CommonResult.success;
@@ -26,8 +28,6 @@ public class BpmModelController {
     @Resource
     private BpmModelService bpmModelService;
 
-    // TODO @芋艿：权限、参数校验
-
     @GetMapping("/page")
     @ApiOperation(value = "获得模型分页")
     public CommonResult<PageResult<BpmModelPageItemRespVO>> getModelPage(ModelPageReqVO pageVO) {
@@ -37,7 +37,7 @@ public class BpmModelController {
     @GetMapping("/get")
     @ApiOperation("获得模型")
     @ApiImplicitParam(name = "id", value = "编号", required = true, example = "1024", dataTypeClass = String.class)
-//    @PreAuthorize("@ss.hasPermission('bpm:form:query')")
+    @PreAuthorize("@ss.hasPermission('bpm:model:query')")
     public CommonResult<BpmModelRespVO> getModel(@RequestParam("id") String id) {
         BpmModelRespVO model = bpmModelService.getModel(id);
         return success(model);
@@ -45,13 +45,15 @@ public class BpmModelController {
 
     @PostMapping("/create")
     @ApiOperation(value = "新建模型")
-    public CommonResult<String> createModel(@RequestBody BpmModelCreateReqVO createRetVO) {
+    @PreAuthorize("@ss.hasPermission('bpm:model:create')")
+    public CommonResult<String> createModel(@Valid @RequestBody BpmModelCreateReqVO createRetVO) {
         return success(bpmModelService.createModel(createRetVO));
     }
 
     @PostMapping("/import")
     @ApiOperation(value = "导入模型")
-    public CommonResult<String> importModel(BpmModeImportReqVO importReqVO) throws IOException {
+    @PreAuthorize("@ss.hasPermission('bpm:model:import')")
+    public CommonResult<String> importModel(@Valid BpmModeImportReqVO importReqVO) throws IOException {
         BpmModelCreateReqVO createReqVO = BpmModelConvert.INSTANCE.convert(importReqVO);
         // 读取文件
         createReqVO.setBpmnXml(IoUtils.readUtf8(importReqVO.getBpmnFile().getInputStream(), false));
@@ -60,7 +62,8 @@ public class BpmModelController {
 
     @PutMapping("/update")
     @ApiOperation(value = "修改模型")
-    public CommonResult<Boolean> updateModel(@RequestBody BpmModelUpdateReqVO modelVO) {
+    @PreAuthorize("@ss.hasPermission('bpm:model:update')")
+    public CommonResult<Boolean> updateModel(@Valid @RequestBody BpmModelUpdateReqVO modelVO) {
         bpmModelService.updateModel(modelVO);
         return success(true);
     }
@@ -68,6 +71,7 @@ public class BpmModelController {
     @DeleteMapping("/delete")
     @ApiOperation("删除模型")
     @ApiImplicitParam(name = "id", value = "编号", required = true, example = "1024", dataTypeClass = String.class)
+    @PreAuthorize("@ss.hasPermission('bpm:model:delete')")
     public CommonResult<Boolean> deleteModel(@RequestParam("id") String id) {
         bpmModelService.deleteModel(id);
         return success(true);
@@ -76,6 +80,7 @@ public class BpmModelController {
     @PostMapping("/deploy")
     @ApiOperation(value = "部署模型")
     @ApiImplicitParam(name = "id", value = "编号", required = true, example = "1024", dataTypeClass = String.class)
+    @PreAuthorize("@ss.hasPermission('bpm:model:deploy')")
     public CommonResult<Boolean> deployModel(@RequestParam("id") String id) {
         bpmModelService.deployModel(id);
         return success(true);
@@ -83,7 +88,8 @@ public class BpmModelController {
 
     @PutMapping("/update-state")
     @ApiOperation(value = "修改模型的状态", notes = "实际更新的部署的流程定义的状态")
-    public CommonResult<Boolean> updateModelState(@RequestBody BpmModelUpdateStateReqVO reqVO) {
+    @PreAuthorize("@ss.hasPermission('bpm:model:update')")
+    public CommonResult<Boolean> updateModelState(@Valid @RequestBody BpmModelUpdateStateReqVO reqVO) {
         bpmModelService.updateModelState(reqVO.getId(), reqVO.getState());
         return success(true);
     }
diff --git a/yudao-admin-ui/src/views/bpm/model/index.vue b/yudao-admin-ui/src/views/bpm/model/index.vue
index db9d8f946..469184fe5 100644
--- a/yudao-admin-ui/src/views/bpm/model/index.vue
+++ b/yudao-admin-ui/src/views/bpm/model/index.vue
@@ -26,11 +26,11 @@
     <el-row :gutter="10" class="mb8">
       <el-col :span="1.5">
         <el-button type="primary" icon="el-icon-plus" size="mini" @click="handleAdd"
-                   v-hasPermi="['infra:config:create']">新建流程模型</el-button>
+                   v-hasPermi="['bpm:model:create']">新建流程模型</el-button>
       </el-col>
       <el-col :span="1.5">
         <el-button type="info" icon="el-icon-upload2" size="mini" @click="handleImport"
-                   v-hasPermi="['system:user:import']">导入流程模型</el-button>
+                   v-hasPermi="['bpm:model:import']">导入流程模型</el-button>
       </el-col>
       <right-toolbar :showSearch.sync="showSearch" @queryTable="getList"></right-toolbar>
     </el-row>
@@ -84,10 +84,14 @@
       </el-table-column>
       <el-table-column label="操作" align="center" width="300">
         <template slot-scope="scope">
-          <el-button size="mini" type="text" icon="el-icon-setting" @click="handleUpdate(scope.row)">设计流程</el-button>
-          <el-button size="mini" type="text" icon="el-icon-thumb" @click="handleDeploy(scope.row)">发布流程</el-button>
-          <el-button size="mini" type="text" icon="el-icon-ice-cream-round" @click="handleDefinitionList(scope.row)">流程定义</el-button>
-          <el-button size="mini" type="text" icon="el-icon-delete" @click="handleDelete(scope.row)">删除</el-button>
+          <el-button size="mini" type="text" icon="el-icon-setting" @click="handleUpdate(scope.row)"
+                     v-hasPermi="['bpm:model:update']">设计流程</el-button>
+          <el-button size="mini" type="text" icon="el-icon-thumb" @click="handleDeploy(scope.row)"
+                     v-hasPermi="['bpm:model:deploy']">发布流程</el-button>
+          <el-button size="mini" type="text" icon="el-icon-ice-cream-round" @click="handleDefinitionList(scope.row)"
+                     v-hasPermi="['bpm:model:query']">流程定义</el-button>
+          <el-button size="mini" type="text" icon="el-icon-delete" @click="handleDelete(scope.row)"
+                     v-hasPermi="['bpm:model:delete']">删除</el-button>
         </template>
       </el-table-column>
     </el-table>