diff --git a/.gitignore b/.gitignore
index 7abfa0b..3d491bc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -29,3 +29,4 @@ AGENTS.md
 CLAUDE.md
 .mcp.json
 boost.json
+LOG.md
diff --git a/app/Http/Controllers/Api/ServerResourceController.php b/app/Http/Controllers/Api/ServerResourceController.php
index bbca3c4..8ef5b34 100644
--- a/app/Http/Controllers/Api/ServerResourceController.php
+++ b/app/Http/Controllers/Api/ServerResourceController.php
@@ -16,6 +16,7 @@ use Illuminate\Http\Client\ConnectionException;
 use Illuminate\Http\Client\RequestException;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
+use Illuminate\Support\Collection;
 use Illuminate\Support\Facades\Http;
 use Illuminate\Validation\ValidationException;
 use Spatie\Permission\Models\Permission;
@@ -38,7 +39,7 @@ class ServerResourceController extends Controller
         $user = auth('api')->user();
 
         if ($user && ! $user->can('platform.servers.view')) {
-            $resourceIds = $user->serverResources()
+            $pivotResourceIds = $user->serverResources()
                 ->where(function ($pivotQuery) {
                     $pivotQuery->where('can_ssh', true)
                         ->orWhere('can_sftp', true)
@@ -47,6 +48,13 @@ class ServerResourceController extends Controller
                 ->pluck('server_resources.id')
                 ->values();
 
+            $permissionResourceIds = $this->resolveResourceIdsFromPermissions($user);
+            $resourceIds = $pivotResourceIds
+                ->merge($permissionResourceIds)
+                ->map(fn ($id): int => (int) $id)
+                ->unique()
+                ->values();
+
             $parentIds = ServerResource::query()
                 ->whereIn('id', $resourceIds)
                 ->pluck('parent_id')
@@ -61,6 +69,31 @@ class ServerResourceController extends Controller
         return response()->json(['code' => 0, 'message' => 'ok', 'data' => $query->paginate(500)]);
     }
 
+    private function resolveResourceIdsFromPermissions(User $user): Collection
+    {
+        $allPermissions = $user->getAllPermissions();
+        if ($allPermissions->contains(fn (Permission $permission): bool => $permission->name === 'resource.servers.use')) {
+            return ServerResource::query()
+                ->whereNotNull('parent_id')
+                ->pluck('id')
+                ->values();
+        }
+
+        $resourceIds = collect();
+        foreach ($allPermissions as $permission) {
+            if (! str_starts_with((string) $permission->name, 'resource.servers.use.')) {
+                continue;
+            }
+
+            $description = (string) ($permission->description ?? '');
+            if (preg_match('/资源ID[:：]\s*(\d+)/u', $description, $matches) === 1) {
+                $resourceIds->push((int) $matches[1]);
+            }
+        }
+
+        return $resourceIds->unique()->values();
+    }
+
     #[Apidoc\Title('创建资源'), Apidoc\Method('POST'), Apidoc\Url('/servers')]
     public function store(StoreServerResourceRequest $request): JsonResponse
     {