diff --git a/apps/rbac/permissions.py b/apps/rbac/permissions.py
index e6e569c7f..788c10a69 100644
--- a/apps/rbac/permissions.py
+++ b/apps/rbac/permissions.py
@@ -141,3 +141,6 @@ class RBACPermission(permissions.DjangoModelPermissions):
         has = request.user.has_perms(perms)
         logger.debug('View require perms: {}, result: {}'.format(perms, has))
         return has
+
+    def has_object_permission(self, request, view, obj):
+        return self.has_permission(request, view)
diff --git a/apps/terminal/api/session/session.py b/apps/terminal/api/session/session.py
index beb790f5c..13cd62b7a 100644
--- a/apps/terminal/api/session/session.py
+++ b/apps/terminal/api/session/session.py
@@ -22,6 +22,7 @@ from common.drf.renders import PassthroughRenderer
 from common.api import AsyncApiMixin
 from common.utils import data_to_json, is_uuid
 from common.utils import get_logger, get_object_or_none
+from rbac.permissions import RBACPermission
 from orgs.mixins.api import OrgBulkModelViewSet
 from orgs.utils import tmp_to_root_org, tmp_to_org
 from terminal import serializers
@@ -30,6 +31,7 @@ from terminal.utils import (
     find_session_replay_local, download_session_replay,
     is_session_approver, get_session_replay_url
 )
+from terminal.permissions import IsSessionAssignee
 from users.models import User
 
 __all__ = [
@@ -86,6 +88,7 @@ class SessionViewSet(OrgBulkModelViewSet):
     rbac_perms = {
         'download': ['terminal.download_sessionreplay']
     }
+    permission_classes = [RBACPermission | IsSessionAssignee]
 
     @staticmethod
     def prepare_offline_file(session, local_path):
diff --git a/apps/terminal/permissions.py b/apps/terminal/permissions.py
new file mode 100644
index 000000000..1165c0570
--- /dev/null
+++ b/apps/terminal/permissions.py
@@ -0,0 +1,16 @@
+from rest_framework import permissions
+from common.utils import get_logger
+
+logger = get_logger(__file__)
+
+
+__all__ = ['IsSessionAssignee']
+
+
+class IsSessionAssignee(permissions.BasePermission):
+
+    def has_object_permission(self, request, view, obj):
+        try:
+            return obj.ticket_relation.first().ticket.has_all_assignee(request.user)
+        except:
+            return False