diff --git a/src/test/testRBAC.lua b/src/test/testRBAC.lua
new file mode 100644
index 0000000..a6ab697
--- /dev/null
+++ b/src/test/testRBAC.lua
@@ -0,0 +1,62 @@
+---
+--- Generated by EmmyLua(https://github.com/EmmyLua)
+--- Created by admin.
+--- DateTime: 2025/11/3 11:38
+---
+
+local rbac = require("util.rbac")
+
+-- 创建RBAC实例
+local permission_system = rbac.new()
+
+-- 定义权限
+permission_system:add_permission("read_users", "/users", "GET")
+permission_system:add_permission("create_users", "/users", "POST")
+permission_system:add_permission("delete_users", "/users", "DELETE")
+permission_system:add_permission("admin_panel", "/admin", "GET")
+
+-- 定义角色
+permission_system:add_role("guest", {"read_users"})
+permission_system:add_role("user_manager", {"read_users", "create_users"})
+permission_system:add_role("super_admin", {"read_users", "create_users", "delete_users", "admin_panel"})
+
+-- 分配角色给用户
+permission_system:assign_role("user001", "guest")
+permission_system:assign_role("user002", "user_manager")
+permission_system:assign_role("admin001", "super_admin")
+
+-- 测试权限验证
+print("=== RBAC权限验证测试 ===")
+
+-- 测试用户001（guest角色）
+local test_cases = {
+    {user_id = "user001", resource = "/users", action = "GET", expected = true},
+    {user_id = "user001", resource = "/users", action = "POST", expected = false},
+    {user_id = "user001", resource = "/admin", action = "GET", expected = false},
+
+    {user_id = "user002", resource = "/users", action = "GET", expected = true},
+    {user_id = "user002", resource = "/users", action = "POST", expected = true},
+    {user_id = "user002", resource = "/admin", action = "GET", expected = false},
+
+    {user_id = "admin001", resource = "/users", action = "GET", expected = true},
+    {user_id = "admin001", resource = "/users", action = "DELETE", expected = true},
+    {user_id = "admin001", resource = "/admin", action = "GET", expected = true}
+}
+
+for _, test in ipairs(test_cases) do
+    local result = permission_system:check_permission(test.user_id, test.resource, test.action)
+    local status = result == test.expected and "✓ 通过" or "✗ 失败"
+    print(string.format("%s 用户:%s 资源:%s 方法:%s 结果:%s",
+            status, test.user_id, test.resource, test.action, tostring(result)))
+end
+
+-- 显示用户权限列表
+print("\n=== 用户权限列表 ===")
+local users = {"user001", "user002", "admin001"}
+for _, user_id in ipairs(users) do
+    local permissions = permission_system:get_user_permissions(user_id)
+    print(string.format("用户 %s 的权限:", user_id))
+    for _, perm in ipairs(permissions) do
+        print(string.format("  - %s %s", perm.action, perm.resource))
+    end
+end
\ No newline at end of file
diff --git a/src/util/rbac.lua b/src/util/rbac.lua
new file mode 100644
index 0000000..a44eb44
--- /dev/null
+++ b/src/util/rbac.lua
@@ -0,0 +1,78 @@
+---
+--- Generated by EmmyLua(https://github.com/EmmyLua)
+--- Created by admin.
+--- DateTime: 2025/11/3 11:31
+---
+
+local RBAC = {}
+RBAC.__index = RBAC
+
+-- RBAC模型初始化
+function RBAC.new()
+    local self = setmetatable({}, RBAC)
+    self.users = {}      -- 用户表: {user_id = {roles = {role1, role2}}}
+    self.roles = {}      -- 角色表: {role_name = {permissions = {perm1, perm2}}}
+    self.permissions = {} -- 权限表: {perm_name = {resource = "", action = ""}}
+    return self
+end
+
+-- 添加权限
+function RBAC:add_permission(perm_name, resource, action)
+    self.permissions[perm_name] = {
+        resource = resource,
+        action = action
+    }
+end
+
+-- 添加角色并分配权限
+function RBAC:add_role(role_name, permissions)
+    self.roles[role_name] = {
+        permissions = permissions or {}
+    }
+end
+
+-- 分配角色给用户
+function RBAC:assign_role(user_id, role_name)
+    if not self.users[user_id] then
+        self.users[user_id] = {roles = {}}
+    end
+    table.insert(self.users[user_id].roles, role_name)
+end
+
+-- 检查用户权限
+function RBAC:check_permission(user_id, resource, action)
+    local user = self.users[user_id]
+    if not user then return false end
+
+    for _, role_name in ipairs(user.roles) do
+        local role = self.roles[role_name]
+        if role then
+            for _, perm_name in ipairs(role.permissions) do
+                local permission = self.permissions[perm_name]
+                if permission and permission.resource == resource and permission.action == action then
+                    return true
+                end
+            end
+        end
+    end
+    return false
+end
+
+-- 获取用户所有权限
+function RBAC:get_user_permissions(user_id)
+    local user_permissions = {}
+    local user = self.users[user_id]
+    if not user then return user_permissions end
+
+    for _, role_name in ipairs(user.roles) do
+        local role = self.roles[role_name]
+        if role then
+            for _, perm_name in ipairs(role.permissions) do
+                table.insert(user_permissions, self.permissions[perm_name])
+            end
+        end
+    end
+    return user_permissions
+end
+
+return RBAC
\ No newline at end of file