diff --git a/deploy/deploy-gateway/src/main/resources/assembly.xml b/deploy/deploy-gateway/src/main/resources/assembly.xml
index b28d5436..09a964df 100644
--- a/deploy/deploy-gateway/src/main/resources/assembly.xml
+++ b/deploy/deploy-gateway/src/main/resources/assembly.xml
@@ -20,7 +20,7 @@
             <lineEnding>unix</lineEnding>
         </fileSet>
         <fileSet>
-            <directory>src/main/resources/docs</directory>
+            <directory>../../docs</directory>
             <outputDirectory>docs</outputDirectory>
             <lineEnding>unix</lineEnding>
         </fileSet>
diff --git a/deploy/deploy-peer/src/main/resources/assembly.xml b/deploy/deploy-peer/src/main/resources/assembly.xml
index 4c2d4f82..2594ae14 100644
--- a/deploy/deploy-peer/src/main/resources/assembly.xml
+++ b/deploy/deploy-peer/src/main/resources/assembly.xml
@@ -20,7 +20,7 @@
             <lineEnding>unix</lineEnding>
         </fileSet>
         <fileSet>
-            <directory>src/main/resources/docs</directory>
+            <directory>../../docs</directory>
             <outputDirectory>docs</outputDirectory>
             <lineEnding>unix</lineEnding>
         </fileSet>
diff --git a/docs/ca.md b/docs/ca.md
index 75ac8f97..9da00075 100644
--- a/docs/ca.md
+++ b/docs/ca.md
@@ -129,7 +129,7 @@ TransactionTemplate txTemp = blockchainService.newTransaction(ledger);
 txTemp.metaInfo().ca(X509Utils.resolveCertificate("*.crt"));
 ```
 
-命令行方式：[更新账本证书](tx.md#更新账本证书)
+命令行方式：[更新账本根证书](cli/tx.md#更新账本根证书)
 
 2. 节点/网关/普通用户证书
 
@@ -141,7 +141,7 @@ txTemp.metaInfo().ca(X509Utils.resolveCertificate("*.crt"));
 txTemp.user("user address").ca(X509Utils.resolveCertificate("*.crt"));
 ```
 
-命令行方式：[更新用户证书](tx.md#更新用户证书)
+命令行方式：[更新用户证书](cli/tx.md#更新用户证书)
 
 ### 证书生成
 
diff --git a/docs/cli/tx.md b/docs/cli/tx.md
index 21d9c7e0..e253542b 100644
--- a/docs/cli/tx.md
+++ b/docs/cli/tx.md
@@ -16,7 +16,7 @@ Build, sign or send transaction.
       --pretty             Pretty json print
   -V, --version            Print version information and exit.
 Commands:
-  root-ca                   Update ledger certificates.
+  root-ca                   Update ledger root certificates.
   user-register             Register new user.
   user-ca                   Update user certificate.
   user-state                Update user(certificate) state.
@@ -46,10 +46,10 @@ Commands:
 - `home`，指定密钥存储相关目录，`${home}/config/keys`
 
 命令：
-- `ledger-ca-update`，[更新账本证书](#更新账本证书)
+- `root-ca`，[更新账本根证书](#更新账本根证书)
 - `user-register`，[注册用户](#注册用户)
-- `user-ca-update`，[更新用户证书](#更新用户证书)
-- `user-state-update`，[更新用户(证书)状态](#更新用户(证书)状态)
+- `user-ca`，[更新用户证书](#更新用户证书)
+- `user-state`，[更新用户(证书)状态](#更新用户(证书)状态)
 - `role`，[角色管理](#角色管理)
 - `authorization`，[权限配置](#权限配置)
 - `data-account-register`，[注册数据账户](#注册数据账户)
@@ -62,15 +62,15 @@ Commands:
 - `contract-deploy`，[部署合约](#部署合约)
 - `contract-permission`，[修改合约权限](#修改合约权限)
 - `contract`，[合约调用](#合约调用)
-- `contract-state-update`，[更新合约状态](#更新合约状态)
+- `contract-state`，[更新合约状态](#更新合约状态)
 - `sign`，[离线交易签名](#离线交易签名)
 - `send`，[离线交易发送](#离线交易发送)
 
-#### 更新账本证书
+#### 更新账本根证书
 
 ```bash
-:bin$ ./jdchain-cli.sh tx ledger-ca-update -h
-Update ledger certificates.
+:bin$ ./jdchain-cli.sh tx root-ca -h
+Update ledger root certificates.
 Usage: jdchain-cli tx ledger-ca-update [-hV] [--pretty] --crt=<caPath>
                                        [--export=<export>] [--gw-host=<gwHost>]
                                        [--gw-port=<gwPort>] [--home=<path>]
@@ -89,7 +89,7 @@ Usage: jdchain-cli tx ledger-ca-update [-hV] [--pretty] --crt=<caPath>
 
 如：
 ```bash
-:bin$ $ ./jdchain-cli.sh tx ledger-ca-update --crt /home/imuge/jd/nodes/peer0/config/keys/ledger.crt --operation UPDATE
+:bin$ $ ./jdchain-cli.sh tx root-ca --crt /home/imuge/jd/nodes/peer0/config/keys/ledger.crt --operation UPDATE
 select ledger, input the index:
 INDEX   LEDGER
 0       j5pFrMigE47t6TobQJXsztnoeA29H31v1vHHF1wqCp4rzi
@@ -161,9 +161,9 @@ register user: [LdeNwQWabrf6WSjZ35saFo52MfQFhVKvm11aC]
 #### 更新用户证书
 
 ```bash
-:bin$ ./jdchain-cli.sh tx ledger-ca-update -h
+:bin$ ./jdchain-cli.sh tx user-ca -h
 Update user certificate.
-Usage: jdchain-cli tx user-ca-update [-hV] [--pretty] [--crt=<caPath>]
+Usage: jdchain-cli tx user-ca [-hV] [--pretty] [--crt=<caPath>]
                                      [--export=<export>] [--gw-host=<gwHost>]
                                      [--gw-port=<gwPort>] [--home=<path>]
       --crt=<caPath>       File of the X509 certificate
@@ -179,7 +179,7 @@ Usage: jdchain-cli tx user-ca-update [-hV] [--pretty] [--crt=<caPath>]
 
 如：
 ```bash
-:bin$ $ ./jdchain-cli.sh tx user-ca-update --crt /home/imuge/jd/nodes/peer0/config/keys/peer0.crt
+:bin$ $ ./jdchain-cli.sh tx user-ca --crt /home/imuge/jd/nodes/peer0/config/keys/peer0.crt
 select ledger, input the index:
 INDEX   LEDGER
 0       j5pFrMigE47t6TobQJXsztnoeA29H31v1vHHF1wqCp4rzi
@@ -200,9 +200,9 @@ user: [LdeNpEmyh5DMwbAwamxNaiJgMVGn6aTtQDA5W] ca updated
 #### 更新用户(证书)状态
 
 ```bash
-:bin$ ./jdchain-cli.sh tx user-state-update -h
+:bin$ ./jdchain-cli.sh tx user-state -h
 Update user(certificate) state.
-Usage: jdchain-cli tx user-state-update [-hV] [--pretty] --address=<address>
+Usage: jdchain-cli tx user-state [-hV] [--pretty] --address=<address>
                                         [--export=<export>]
                                         [--gw-host=<gwHost>]
                                         [--gw-port=<gwPort>] [--home=<path>]
@@ -222,7 +222,7 @@ Usage: jdchain-cli tx user-state-update [-hV] [--pretty] --address=<address>
 
 如冻结用户`LdeNpEmyh5DMwbAwamxNaiJgMVGn6aTtQDA5W`：
 ```bash
-:bin$ $ ./jdchain-cli.sh tx user-state-update --address LdeNpEmyh5DMwbAwamxNaiJgMVGn6aTtQDA5W  --state FREEZE
+:bin$ $ ./jdchain-cli.sh tx user-state --address LdeNpEmyh5DMwbAwamxNaiJgMVGn6aTtQDA5W  --state FREEZE
 select ledger, input the index:
 INDEX   LEDGER
 0       j5pFrMigE47t6TobQJXsztnoeA29H31v1vHHF1wqCp4rzi
@@ -752,9 +752,9 @@ return string: LdeNqvSjL4izfpMNsGpQiBpTBse4g6qLxZ6j5
 #### 更新合约状态
 
 ```bash
-:bin$ ./jdchain-cli.sh tx contract-state-update -h
+:bin$ ./jdchain-cli.sh tx contract-state -h
 Update contract state.
-Usage: jdchain-cli tx contract-state-update [-hV] [--pretty]
+Usage: jdchain-cli tx contract-state [-hV] [--pretty]
        --address=<address> [--export=<export>] [--gw-host=<gwHost>]
        [--gw-port=<gwPort>] [--home=<path>] --state=<state>
       --address=<address>   Contract address
@@ -773,7 +773,7 @@ Usage: jdchain-cli tx contract-state-update [-hV] [--pretty]
 
 如冻结合约`LdeNpEmyh5DMwbAwamxNaiJgMVGn6aTtQDA5W`：
 ```bash
-:bin$ $ ./jdchain-cli.sh tx contract-state-update --address LdeNpEmyh5DMwbAwamxNaiJgMVGn6aTtQDA5W  --state FREEZE
+:bin$ $ ./jdchain-cli.sh tx contract-state --address LdeNpEmyh5DMwbAwamxNaiJgMVGn6aTtQDA5W  --state FREEZE
 select ledger, input the index:
 INDEX   LEDGER
 0       j5pFrMigE47t6TobQJXsztnoeA29H31v1vHHF1wqCp4rzi
diff --git a/docs/data_permission.md b/docs/data_permission.md
new file mode 100644
index 00000000..04701652
--- /dev/null
+++ b/docs/data_permission.md
@@ -0,0 +1,94 @@
+## 账户级别权限
+
+数据账户，事件账户以及合约账户数据权限设计。
+
+**数据读取完全开放**，本文档讨论全新变更仅对数据写入和合约调用生效。
+
+### 权限定义
+
+类似`linux`文件权限，使用用10位数据表示账户数据权限信息:
+`0 123 456 789`
+
+- `0`: 数据集或者合约, `-`或`c`
+- `123`: 所有者列表, `read(-/r)`, `write(-/w)` 以及 `execute(-/x)`
+- `456`: 所属角色, `read(-/r)`, `write(-/w)` 以及 `execute(-/x)`
+- `789`: 其他用户, `read(-/r)`, `write(-/w)` 以及 `execute(-/x)`
+
+> 当前实现数据账户仅对`write`权限更新有效；事件账户仅对`write`权限更新有效；合约仅对`execute`权限更新有效。
+
+### 实现
+
+权限数据存储与数据集头信息中，`SecurityPolicy`中增加：
+```java
+// 查询/写入/执行 权限校验
+void checkDataPermission(DataPermission permission, DataPermissionType permissionType) throws LedgerSecurityException;
+
+// 账户创建者校验，只有创建者才能修改数据权限
+void checkDataOwners(DataPermission permission, MultiIDsPolicy midPolicy) throws LedgerSecurityException;
+```
+
+在数据写入/合约方法调用前进行权限校验
+
+
+
+数据账户，事件账户，合约账户均实现`PermissionAccount`接口：
+```java
+public interface PermissionAccount {
+
+DataPermission getPermission();
+
+void setPermission(DataPermission permission);
+
+void setModeBits(AccountModeBits modeBits);
+
+void setRole(String role);
+}
+```
+
+增加`AccountPermissionSetOperation`账户数据权限设置操作及其处理逻辑
+
+### SDK
+
+统一使用风格
+
+#### 数据账户
+
+```java
+txTemp.dataAccount("LdeNrUrMGxkG1R5mDNwrUvkFdRdD91xH1Pcvd")
+.permission() // 创建权限修改操作构造器
+.mode(777) // 设置权限值，与 linux chmod 操作类似
+.role("ADMIN"); // 设置账户数据所属角色
+```
+
+#### 事件账户
+
+```java
+txTemp.eventAccount("LdeNrUrMGxkG1R5mDNwrUvkFdRdD91xH1Pcvd")
+.permission() // 创建权限修改操作构造器
+.mode(777) // 设置权限值，与 linux chmod 操作类似
+.role("ADMIN"); // 设置账户数据所属角色
+```
+
+#### 合约账户
+
+```java
+txTemp.contract("LdeNrUrMGxkG1R5mDNwrUvkFdRdD91xH1Pcvd")
+.permission() // 创建权限修改操作构造器
+.mode(777) // 设置权限值，与 linux chmod 操作类似
+.role("ADMIN"); // 设置账户数据所属角色
+```
+
+### JD Chain Cli
+
+
+#### 数据账户
+
+[更新数据账户权限](cli/tx.md#修改数据账户权限)
+
+#### 事件账户
+
+[更新数据账户权限](cli/tx.md#修改事件账户权限)
+
+#### 合约账户
+
+[更新合约权限](cli/tx.md#修改合约权限)
diff --git a/docs/user.md b/docs/user.md
index 26ebae95..56570247 100644
--- a/docs/user.md
+++ b/docs/user.md
@@ -36,12 +36,8 @@ public enum RolesPolicy {
 
 - `CONFIGURE_ROLES`配置角色
 - `AUTHORIZE_USER_ROLES`授权用户角色
-- SET_CONSENSUS 设置共识协议
-- SET_CRYPTO 设置密码体系
 - `APPROVE_TX`参与方核准交易，如果不具备此项权限，则无法作为节点签署由终端提交的交易
-- `CONSENSUS_TX`参与方共识交易
 - `REGISTER_PARTICIPANT`注册参与方
-- SET_USER_ATTRIBUTES 设置用户属性
 - `REGISTER_USER`注册用户
 - `REGISTER_EVENT_ACCOUNT`注册事件账户
 - `WRITE_EVENT_ACCOUNT`发布事件
@@ -49,6 +45,10 @@ public enum RolesPolicy {
 - `WRITE_DATA_ACCOUNT`写入数据账户
 - `REGISTER_CONTRACT`注册合约
 - `UPGRADE_CONTRACT`升级合约
+- `UPDATE_USER_STATE`更新用户（证书）状态
+- `UPDATE_ROOT_CA`更新账本根证书
+- `UPDATE_USER_CA`更新用户（证书）状态
+- `UPDATE_CONTRACT_STATE`更新合约状态
 
 #### 3.2 交易权限