diff --git a/src/main/java/com/ffii/fpsms/modules/user/req/NewUserReq.java b/src/main/java/com/ffii/fpsms/modules/user/req/NewUserReq.java
index 560b5f9..6097694 100644
--- a/src/main/java/com/ffii/fpsms/modules/user/req/NewUserReq.java
+++ b/src/main/java/com/ffii/fpsms/modules/user/req/NewUserReq.java
@@ -10,6 +10,8 @@ public class NewUserReq extends UpdateUserReq {
 	@Pattern(regexp = "^[A-Za-z0-9]+$")
 	private String username;
 
+	private String password;
+
 	public String getUsername() {
 		return username;
 	}
@@ -18,4 +20,11 @@ public class NewUserReq extends UpdateUserReq {
 		this.username = username;
 	}
 
+	public String getPassword() {
+		return password;
+	}
+
+	public void setPassword(String password) {
+		this.password = password;
+	}
 }
diff --git a/src/main/java/com/ffii/fpsms/modules/user/req/UpdateUserReq.java b/src/main/java/com/ffii/fpsms/modules/user/req/UpdateUserReq.java
index b70c049..efe0c63 100644
--- a/src/main/java/com/ffii/fpsms/modules/user/req/UpdateUserReq.java
+++ b/src/main/java/com/ffii/fpsms/modules/user/req/UpdateUserReq.java
@@ -15,7 +15,6 @@ public class UpdateUserReq {
 	private Boolean locked;
 
 	@Size(max = 90)
-	@NotBlank
 	private String name;
 
 	private String firstname;
@@ -24,11 +23,6 @@ public class UpdateUserReq {
 	private String locale;
 	private String remarks;
 
-	@NotBlank
-	@Email
-	private String email;
-	@NotBlank
-	private String department;
 
 	// @NotNull
 	private List<Integer> addGroupIds;
@@ -132,20 +126,4 @@ public class UpdateUserReq {
 		this.remarks = remarks;
 	}
 
-	public String getEmail() {
-		return email;
-	}
-
-	public void setEmail(String email) {
-		this.email = email;
-	}
-
-	public String getDepartment() {
-		return department;
-	}
-
-	public void setDepartment(String department) {
-		this.department = department;
-	}
-
 }
diff --git a/src/main/java/com/ffii/fpsms/modules/user/service/GroupService.java b/src/main/java/com/ffii/fpsms/modules/user/service/GroupService.java
index 678fa41..2d41d9e 100644
--- a/src/main/java/com/ffii/fpsms/modules/user/service/GroupService.java
+++ b/src/main/java/com/ffii/fpsms/modules/user/service/GroupService.java
@@ -96,7 +96,7 @@ public class GroupService extends AbstractBaseEntityService<Group, Long, GroupRe
 		if (instance != null && instance.getId() != null && instance.getId() > 0) {
 			oldValueJson = JsonUtils.toJsonString(jdbcDao.queryForMap(sql.toString(), Map.of("id", instance.getId())).orElseThrow(NotFoundException::new));
 		}
-		
+
 		instance = saveAndFlush(instance);
 		Long id = instance.getId();
 
@@ -172,5 +172,41 @@ public class GroupService extends AbstractBaseEntityService<Group, Long, GroupRe
 						+ " WHERE gu.groupId = :id",
 				Map.of(Params.ID, id));
 	}
+	@Transactional(rollbackFor = Exception.class)
+	public String getGroupName(Map<String, Object> args) {
+		StringBuilder sql = new StringBuilder("select"
+				+ " g.name "
+				+ " from user u "
+				+ " left join user_group ug on u.id = ug.userId "
+				+ " left join `group`g on ug.groupId = g.id "
+				+ " where g.deleted = false "
+				+ " and u.id = :userId"
+		);
+		return jdbcDao.queryForList(sql.toString(), args).stream().map(String::valueOf).collect(Collectors.joining(","));
+	}
+
+
+	@Transactional(rollbackFor = Exception.class)
+	public List<Map<String, Object>> listAuth(Map<String, Object> args) {
+
+		StringBuilder sql = new StringBuilder("SELECT"
+				+ "	a.id, "
+				+ " a.module,"
+				+ " a.authority,"
+				+ " a.name,"
+				+ " a.description, ");
+		if (args.containsKey("groupId")) {
+			sql.append(" EXISTS(SELECT 1 FROM group_authority ga WHERE a.id = ga.authId AND groupId = :groupId) AS v");
+		}
+		else if (args.containsKey("userId")) {
+			sql.append(" EXISTS(SELECT 1 FROM user_authority ua WHERE a.id = ua.authId AND userId = :userId) AS v");
+		}
+		else
+			sql.append(" 0 AS v");
+		sql.append(" FROM authority a"
+				+ " ORDER BY a.module, a.name");
+
+		return jdbcDao.queryForList(sql.toString(), args);
+	}
 
 }
diff --git a/src/main/java/com/ffii/fpsms/modules/user/service/UserService.java b/src/main/java/com/ffii/fpsms/modules/user/service/UserService.java
index 9cb249d..e1c20f0 100644
--- a/src/main/java/com/ffii/fpsms/modules/user/service/UserService.java
+++ b/src/main/java/com/ffii/fpsms/modules/user/service/UserService.java
@@ -6,6 +6,7 @@ import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
+import java.util.stream.Collectors;
 
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.BeanUtils;
@@ -157,49 +158,32 @@ public class UserService extends AbstractBaseEntityService<User, Long, UserRepos
 		if (instance.getId() == null){
 			req.setLocked(false);
 		}
+		req.setName(instance.getName());
 		BeanUtils.copyProperties(req,instance);
 		instance = save(instance);
-		// long id = instance.getId();
-
-		// List<Map<String, Integer>> groupBatchInsertValues = req.getAddGroupIds().stream()
-		// 		.map(groupId -> Map.of("userId", (int) id, "groupId", groupId))
-		// 		.collect(Collectors.toList());
-		// List<Map<String, Integer>> groupBatchDeleteValues = req.getRemoveGroupIds().stream()
-		// 		.map(groupId -> Map.of("userId", (int) id, "groupId", groupId))
-		// 		.collect(Collectors.toList());
-
-		// if (!groupBatchInsertValues.isEmpty()) {
-		// 	jdbcDao.batchUpdate(
-		// 			"INSERT IGNORE INTO user_group (groupId,userId)"
-		// 					+ " VALUES (:groupId, :userId)",
-		// 			groupBatchInsertValues);
-		// }
-		// if (!groupBatchDeleteValues.isEmpty()) {
-		// 	jdbcDao.batchUpdate(
-		// 			"DELETE FROM user_group"
-		// 					+ " WHERE groupId = :groupId AND userId = :userId",
-		// 			groupBatchDeleteValues);
-		// }
-
-		// List<Map<String, Integer>> authBatchInsertValues = req.getAddAuthIds().stream()
-		// 		.map(authId -> Map.of("userId", (int)id, "authId", authId))
-		// 		.collect(Collectors.toList());
-		// List<Map<String, Integer>> authBatchDeleteValues = req.getRemoveAuthIds().stream()
-		// 		.map(authId -> Map.of("userId", (int)id, "authId", authId))
-		// 		.collect(Collectors.toList());
-		// if (!authBatchInsertValues.isEmpty()) {
-		// 	jdbcDao.batchUpdate(
-		// 			"INSERT IGNORE INTO user_authority (userId, authId)"
-		// 					+ " VALUES (:userId, :authId)",
-		// 			authBatchInsertValues);
-		// }
-
-		// if (!authBatchDeleteValues.isEmpty()) {
-		// 	jdbcDao.batchUpdate(
-		// 			"DELETE FROM user_authority"
-		// 					+ " WHERE userId = :userId AND authId = :authId",
-		// 			authBatchDeleteValues);
-		// }
+
+		long id = instance.getId();
+
+		List<Map<String, Integer>> authBatchInsertValues = req.getAddAuthIds().stream()
+				.map(authId -> Map.of("userId", (int)id, "authId", authId))
+				.collect(Collectors.toList());
+		List<Map<String, Integer>> authBatchDeleteValues = req.getRemoveAuthIds().stream()
+				.map(authId -> Map.of("userId", (int)id, "authId", authId))
+				.collect(Collectors.toList());
+		if (!authBatchDeleteValues.isEmpty()) {
+			jdbcDao.batchUpdate(
+					"DELETE FROM user_authority"
+							+ " WHERE userId = :userId ",
+//							+ "AND authId = :authId",
+					authBatchDeleteValues);
+		}
+		if (!authBatchInsertValues.isEmpty()) {
+			jdbcDao.batchUpdate(
+					"INSERT IGNORE INTO user_authority (userId, authId)"
+							+ " VALUES (:userId, :authId)",
+					authBatchInsertValues);
+		}
+
 		return instance;
 	}
 
@@ -209,22 +193,39 @@ public class UserService extends AbstractBaseEntityService<User, Long, UserRepos
 			throw new UnprocessableEntityException(ErrorCodes.USERNAME_NOT_AVAILABLE);
 		}
 
-		String randomPassword = PasswordUtils.genPwd(new PasswordRule(settingsService));
-		String pwdHash = passwordEncoder.encode(randomPassword);
+		System.out.println("Start Save");
+
+		String password = req.getPassword();
+		String pwdHash = passwordEncoder.encode(password);
 
 		User instance = new User();
 		instance.setPassword(pwdHash);
-		instance = saveOrUpdate(instance, req);
-		
-		// Locale locale = instance.getLocale() != null ? LocaleUtils.from(instance.getLocale()) : Locale.ENGLISH;
-		// mailService.send(
-		// 		MailRequest.builder()
-		// 				.subject(messageSource.getMessage("USER.newAc.subject", null, locale))
-		// 				.template("mail/newUser")
-		// 				.args(Map.of("username", instance.getUsername(), "password", StringEscapeUtils.escapeHtml4(randomPassword)))
-		// 				.addTo(new InternetAddress(instance.getEmail(), instance.getName()))
-		// 				.build(),
-		// 		locale);
+		instance.setUsername(req.getUsername());
+		instance.setName(req.getUsername());
+		instance = save(instance);
+
+		long id = instance.getId();
+
+		List<Map<String, Integer>> authBatchInsertValues = req.getAddAuthIds().stream()
+				.map(authId -> Map.of("userId", (int)id, "authId", authId))
+				.collect(Collectors.toList());
+		List<Map<String, Integer>> authBatchDeleteValues = req.getRemoveAuthIds().stream()
+				.map(authId -> Map.of("userId", (int)id, "authId", authId))
+				.collect(Collectors.toList());
+		if (!authBatchDeleteValues.isEmpty()) {
+			jdbcDao.batchUpdate(
+					"DELETE FROM user_authority"
+							+ " WHERE userId = :userId ",
+//							+ "AND authId = :authId",
+					authBatchDeleteValues);
+		}
+		if (!authBatchInsertValues.isEmpty()) {
+			jdbcDao.batchUpdate(
+					"INSERT IGNORE INTO user_authority (userId, authId)"
+							+ " VALUES (:userId, :authId)",
+					authBatchInsertValues);
+		}
+
 		return instance;
 	}
 
@@ -259,6 +260,4 @@ public class UserService extends AbstractBaseEntityService<User, Long, UserRepos
 		instance = save(instance);
 		return randomPassword;
 	}
-
-
 }
diff --git a/src/main/java/com/ffii/fpsms/modules/user/web/GroupController.java b/src/main/java/com/ffii/fpsms/modules/user/web/GroupController.java
index a231f8c..aee7d7c 100644
--- a/src/main/java/com/ffii/fpsms/modules/user/web/GroupController.java
+++ b/src/main/java/com/ffii/fpsms/modules/user/web/GroupController.java
@@ -1,5 +1,6 @@
 package com.ffii.fpsms.modules.user.web;
 
+import java.util.HashMap;
 import java.util.Map;
 
 import org.apache.commons.logging.Log;
@@ -30,16 +31,16 @@ import jakarta.validation.Valid;
 @RequestMapping("/group")
 public class GroupController{
 
-    private final Log logger = LogFactory.getLog(getClass());
-    private GroupService groupService;
-	
-    public GroupController(
-		GroupService groupService
-		) {
+	private final Log logger = LogFactory.getLog(getClass());
+	private GroupService groupService;
+
+	public GroupController(
+			GroupService groupService
+	) {
 		this.groupService = groupService;
 	}
-    
-    @PostMapping("/save")
+
+	@PostMapping("/save")
 	public IdRes saveOrUpdate(@RequestBody @Valid SaveGroupReq req) {
 		return new IdRes(groupService.saveOrUpdate(req).getId());
 	}
@@ -77,4 +78,20 @@ public class GroupController{
 						.build()));
 	}
 
+	@GetMapping("/auth/{target}/{id}")
+	public RecordsRes<Map<String, Object>> authComboJson(HttpServletRequest request, @PathVariable("id") int id, @PathVariable("target") String target) throws ServletRequestBindingException {
+		System.out.println(request);
+		Map<String, Object> args = new HashMap<>();
+		if (id != 0){
+			if (target.equals("group")){
+				args.put("groupId", id);
+			} else {
+				args.put("userId", id);
+
+			}
+		}
+
+		return new RecordsRes<>(groupService.listAuth(args));
+	}
+
 }
diff --git a/src/main/java/com/ffii/fpsms/modules/user/web/UserController.java b/src/main/java/com/ffii/fpsms/modules/user/web/UserController.java
index 812efa9..526d8bf 100644
--- a/src/main/java/com/ffii/fpsms/modules/user/web/UserController.java
+++ b/src/main/java/com/ffii/fpsms/modules/user/web/UserController.java
@@ -1,7 +1,9 @@
 package com.ffii.fpsms.modules.user.web;
 
 import java.io.UnsupportedEncodingException;
+import java.util.List;
 
+import com.ffii.fpsms.modules.user.service.pojo.UserRecord;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.springframework.http.HttpStatus;
@@ -61,8 +63,8 @@ public class UserController{
     // @Operation(summary = "list user", responses = { @ApiResponse(responseCode = "200"),
 	// 		@ApiResponse(responseCode = "404", content = @Content) })
 	@GetMapping
-	@PreAuthorize("hasAuthority('VIEW_USER')")
-	public ResponseEntity<?> list(@ModelAttribute @Valid SearchUserReq req) {
+//	@PreAuthorize("hasAuthority('VIEW_USER')")
+	public ResponseEntity<List<UserRecord>> list(@ModelAttribute @Valid SearchUserReq req) {
         logger.info("Test List user");
         return ResponseEntity.ok(userService.search(req));
 	}
@@ -91,10 +93,11 @@ public class UserController{
 	}
 
 	// @Operation(summary = "new user")
-	@PostMapping
-	@ResponseStatus(HttpStatus.CREATED)
-	@PreAuthorize("hasAuthority('MAINTAIN_USER')")
+	@PostMapping("/save")
+//	@ResponseStatus(HttpStatus.CREATED)
+//	@PreAuthorize("hasAuthority('MAINTAIN_USER')")
 	public IdRes newRecord(@RequestBody @Valid NewUserReq req) throws UnsupportedEncodingException {
+		System.out.println(req.getUsername());
 		return new IdRes(userService.newRecord(req).getId());
 	}
 
@@ -120,6 +123,13 @@ public class UserController{
 		userService.updateRecord(id, req);
 	}
 
+//	@PostMapping("/{id}")
+//	@ResponseStatus(HttpStatus.NO_CONTENT)
+//	@PreAuthorize("hasAuthority('MAINTAIN_USER')")
+//	public void saveRecord(@RequestBody @Valid NewUserReq req) {
+//		userService.newUser(req);
+//	}
+
 	// @Operation(summary = "current user change password", description = "error: USER_WRONG_NEW_PWD = new password not available", responses = {
 	// 		@ApiResponse(responseCode = "204"),
 	// 		@ApiResponse(responseCode = "400", content = @Content),
@@ -148,6 +158,17 @@ public class UserController{
 		userService.save(instance);
 	}
 
+	@PatchMapping("/admin-change-password")
+	@ResponseStatus(HttpStatus.NO_CONTENT)
+	@PreAuthorize("hasAuthority('MAINTAIN_USER')")
+	public void adminChangePassword(@RequestBody @Valid AdminChangePwdReq req) {
+		long id = req.getId();
+		User instance = userService.find(id).orElseThrow(NotFoundException::new);
+
+		instance.setPassword(passwordEncoder.encode(req.getNewPassword()));
+		userService.save(instance);
+	}
+
 	// @Operation(summary = "reset password", responses = {
 	// 		@ApiResponse(responseCode = "204"),
 	// 		@ApiResponse(responseCode = "404", content = @Content),
@@ -166,6 +187,21 @@ public class UserController{
 		return new PasswordRule(settingsService);
 	}
 
+	public static class AdminChangePwdReq {
+		private Long id;
+		@NotBlank
+		private String newPassword;
+
+		public Long getId() { return id; }
+		public Long setId(Long id) { return this.id = id; }
+		public String getNewPassword() {
+			return newPassword;
+		}
+		public void setNewPassword(String newPassword) {
+			this.newPassword = newPassword;
+		}
+	}
+
 	public static class ChangePwdReq {
 		@NotBlank
 		private String password;