diff --git a/backend/apps/system/api/variable_api.py b/backend/apps/system/api/variable_api.py
index 75146239..cca1af84 100644
--- a/backend/apps/system/api/variable_api.py
+++ b/backend/apps/system/api/variable_api.py
@@ -8,27 +8,32 @@
 from apps.system.models.system_variable_model import SystemVariable
 from common.core.config import settings
 from common.core.deps import SessionDep, CurrentUser, Trans
+from apps.system.schemas.permission import SqlbotPermission, require_permissions
 
 router = APIRouter(tags=["System_variable"], prefix="/sys_variable")
 path = settings.EXCEL_PATH
 
 
 @router.post("/save", response_model=None, summary=f"{PLACEHOLDER_PREFIX}variable_save")
+@require_permissions(permission=SqlbotPermission(role=['admin']))
 async def save_variable(session: SessionDep, user: CurrentUser, trans: Trans, variable: SystemVariable):
     return save(session, user, trans, variable)
 
 
 @router.post("/delete",response_model=None, summary=f"{PLACEHOLDER_PREFIX}variable_delete")
+@require_permissions(permission=SqlbotPermission(role=['admin']))
 async def delete_variable(session: SessionDep, ids: List[int]):
     return delete(session, ids)
 
 
 @router.post("/listAll",response_model=None, summary=f"{PLACEHOLDER_PREFIX}variable_list")
+@require_permissions(permission=SqlbotPermission(role=['admin']))
 async def list_all_data(session: SessionDep, trans: Trans, variable: SystemVariable = None):
     return list_all(session, trans, variable)
 
 
 @router.post("/listPage/{pageNum}/{pageSize}",response_model=None, summary=f"{PLACEHOLDER_PREFIX}variable_page")
+@require_permissions(permission=SqlbotPermission(role=['admin']))
 async def pager(session: SessionDep, trans: Trans, pageNum: int, pageSize: int,
                         variable: SystemVariable = None):
     return await list_page(session, trans, pageNum, pageSize, variable)