diff --git a/flyfish-data/src/main/java/com/flyfish/framework/domain/authorized/AbstractAuthorizedQo.java b/flyfish-data/src/main/java/com/flyfish/framework/domain/authorized/AbstractAuthorizedQo.java
new file mode 100644
index 0000000..babe4f5
--- /dev/null
+++ b/flyfish-data/src/main/java/com/flyfish/framework/domain/authorized/AbstractAuthorizedQo.java
@@ -0,0 +1,56 @@
+package com.flyfish.framework.domain.authorized;
+
+import com.flyfish.framework.builder.CriteriaBuilder;
+import com.flyfish.framework.domain.base.NameLikeQo;
+import com.flyfish.framework.domain.po.Department;
+import lombok.Setter;
+import org.apache.commons.lang3.BooleanUtils;
+import org.springframework.data.mongodb.core.query.Criteria;
+
+import java.util.Collections;
+import java.util.Set;
+
+/**
+ * 公共方法封装
+ *
+ * @param <T> 泛型
+ */
+@Setter
+public abstract class AbstractAuthorizedQo<T extends AuthorizedDomain> extends NameLikeQo<T> {
+
+    // 是否已发布
+    protected Boolean published;
+
+    /**
+     * 获取可见的权限ids
+     *
+     * @return 结果
+     */
+    protected Set<String> authorizeIds() {
+        if (user instanceof AuthorizedUserDetails) {
+            return ((AuthorizedUserDetails) user).getAuthorityCodes();
+        }
+        return Collections.singleton(Department.PUBLIC);
+    }
+
+    /**
+     * 构造发布状态查询
+     *
+     * @return 结果
+     */
+    protected Criteria withPublished() {
+        if (null != published) {
+            if (BooleanUtils.isTrue(published)) {
+                return Criteria.where("published").is(true);
+            }
+            return Criteria.where("$or").is(
+                    CriteriaBuilder.createCriteriaList(
+                            Criteria.where("published").isNull(),
+                            Criteria.where("published").is(false)
+                    )
+            );
+        }
+        return null;
+    }
+
+}
diff --git a/flyfish-data/src/main/java/com/flyfish/framework/domain/authorized/AuthorizedQo.java b/flyfish-data/src/main/java/com/flyfish/framework/domain/authorized/AuthorizedQo.java
index d72712d..58e923d 100644
--- a/flyfish-data/src/main/java/com/flyfish/framework/domain/authorized/AuthorizedQo.java
+++ b/flyfish-data/src/main/java/com/flyfish/framework/domain/authorized/AuthorizedQo.java
@@ -1,18 +1,12 @@
 package com.flyfish.framework.domain.authorized;
 
 import com.flyfish.framework.builder.CriteriaBuilder;
-import com.flyfish.framework.domain.base.NameLikeQo;
-import com.flyfish.framework.domain.po.Department;
 import com.flyfish.framework.enums.UserType;
-import lombok.AccessLevel;
 import lombok.Getter;
 import lombok.Setter;
 import org.apache.commons.lang3.BooleanUtils;
 import org.springframework.data.mongodb.core.query.Criteria;
 
-import java.util.Collections;
-import java.util.Set;
-
 /**
  * 带鉴权的查询实体，主要以部门隔绝
  *
@@ -20,23 +14,7 @@ import java.util.Set;
  */
 @Getter
 @Setter
-public class AuthorizedQo<T extends AuthorizedDomain> extends NameLikeQo<T> {
-
-    // 是否已发布
-    @Getter(AccessLevel.NONE)
-    private Boolean published;
-
-    /**
-     * 获取可见的权限ids
-     *
-     * @return 结果
-     */
-    private Set<String> authorizeIds() {
-        if (user instanceof AuthorizedUserDetails) {
-            return ((AuthorizedUserDetails) user).getAuthorityCodes();
-        }
-        return Collections.singleton(Department.PUBLIC);
-    }
+public class AuthorizedQo<T extends AuthorizedDomain> extends AbstractAuthorizedQo<T> {
 
     @Override
     public CriteriaBuilder<T> criteriaBuilder() {
@@ -62,23 +40,4 @@ public class AuthorizedQo<T extends AuthorizedDomain> extends NameLikeQo<T> {
                 ));
     }
 
-    /**
-     * 构造发布状态查询
-     *
-     * @return 结果
-     */
-    private Criteria withPublished() {
-        if (null != published) {
-            if (BooleanUtils.isTrue(published)) {
-                return Criteria.where("published").is(true);
-            }
-            return Criteria.where("$or").is(
-                    CriteriaBuilder.createCriteriaList(
-                            Criteria.where("published").isNull(),
-                            Criteria.where("published").is(false)
-                    )
-            );
-        }
-        return null;
-    }
 }
diff --git a/flyfish-data/src/main/java/com/flyfish/framework/domain/authorized/advanced/OwnedAuthorizedDomain.java b/flyfish-data/src/main/java/com/flyfish/framework/domain/authorized/advanced/OwnedAuthorizedDomain.java
new file mode 100644
index 0000000..a10877c
--- /dev/null
+++ b/flyfish-data/src/main/java/com/flyfish/framework/domain/authorized/advanced/OwnedAuthorizedDomain.java
@@ -0,0 +1,28 @@
+package com.flyfish.framework.domain.authorized.advanced;
+
+import com.flyfish.framework.annotations.Order;
+import com.flyfish.framework.annotations.Property;
+import com.flyfish.framework.domain.authorized.AuthorizedDomain;
+import com.flyfish.framework.domain.po.User;
+import lombok.Getter;
+import lombok.Setter;
+import org.springframework.data.mongodb.core.mapping.DBRef;
+
+import java.util.List;
+
+/**
+ * 具有特例拥有权限的实体
+ *
+ * @author wangyu
+ */
+@Getter
+@Setter
+public abstract class OwnedAuthorizedDomain extends AuthorizedDomain {
+
+    // 关联账号
+    @Property("关联账号")
+    @Order(Integer.MAX_VALUE)
+    @DBRef
+    private List<User> owners;
+
+}
diff --git a/flyfish-data/src/main/java/com/flyfish/framework/domain/authorized/advanced/OwnedAuthorizedQo.java b/flyfish-data/src/main/java/com/flyfish/framework/domain/authorized/advanced/OwnedAuthorizedQo.java
new file mode 100644
index 0000000..e2c6cfc
--- /dev/null
+++ b/flyfish-data/src/main/java/com/flyfish/framework/domain/authorized/advanced/OwnedAuthorizedQo.java
@@ -0,0 +1,53 @@
+package com.flyfish.framework.domain.authorized.advanced;
+
+import com.flyfish.framework.builder.CriteriaBuilder;
+import com.flyfish.framework.domain.authorized.AbstractAuthorizedQo;
+import com.flyfish.framework.domain.authorized.AuthorizedUserDetails;
+import com.flyfish.framework.enums.UserType;
+import lombok.Getter;
+import lombok.Setter;
+import org.apache.commons.lang3.BooleanUtils;
+import org.bson.types.ObjectId;
+import org.springframework.data.mongodb.core.query.Criteria;
+
+/**
+ * 拥有归属权的授权查询
+ *
+ * @param <T> 泛型
+ * @author wangyu
+ * 将会额外查询归属者的内容
+ */
+@Getter
+@Setter
+public class OwnedAuthorizedQo<T extends OwnedAuthorizedDomain> extends AbstractAuthorizedQo<T> {
+
+    @Override
+    public CriteriaBuilder<T> criteriaBuilder() {
+        // 超级管理员拥有查看所有草稿的权限
+        if (user.getType() == UserType.SUPER_ADMIN) {
+            return super.criteriaBuilder().with(this::withPublished);
+        }
+        // 查询草稿，只查询自己的
+        if (BooleanUtils.isFalse(published)) {
+            return super.criteriaBuilder()
+                    .with(this::withPublished)
+                    .with(() -> Criteria.where("$or").is(
+                            CriteriaBuilder.createCriteriaList(
+                                    Criteria.where("creatorId").is(user.getId()),
+                                    Criteria.where("owners.$id").is(new ObjectId(user.getId()))
+                            )
+                    ));
+        }
+        // 普通查询，根据权限配置查询
+        return super.criteriaBuilder()
+                .with(this::withPublished)
+                .with(() -> Criteria.where("$or").is(
+                        CriteriaBuilder.createCriteriaList(
+                                Criteria.where("authorizeId").in(authorizeIds()),
+                                Criteria.where("creatorId").is(user.getId())
+                                        .and("authorizeId").in(((AuthorizedUserDetails) user).getVisibleDeparts()),
+                                Criteria.where("owners.$id").is(new ObjectId(user.getId()))
+                        )
+                ));
+    }
+}
diff --git a/flyfish-web/src/main/java/com/flyfish/framework/beans/meta/BeanProperty.java b/flyfish-web/src/main/java/com/flyfish/framework/beans/meta/BeanProperty.java
index 2a1d9d5..7d05e0f 100644
--- a/flyfish-web/src/main/java/com/flyfish/framework/beans/meta/BeanProperty.java
+++ b/flyfish-web/src/main/java/com/flyfish/framework/beans/meta/BeanProperty.java
@@ -5,6 +5,7 @@ import com.fasterxml.jackson.annotation.JsonIgnore;
 import com.flyfish.framework.annotations.Properties;
 import com.flyfish.framework.annotations.*;
 import com.flyfish.framework.beans.enums.ValidationCandidate;
+import com.flyfish.framework.beans.meta.builtin.BeanUris;
 import com.flyfish.framework.beans.meta.parser.BeanPropertyAnnotations;
 import com.flyfish.framework.beans.meta.parser.SimpleBeanPropertyAnnotations;
 import com.flyfish.framework.domain.base.Qo;
@@ -25,6 +26,7 @@ import org.springframework.beans.BeanUtils;
 import org.springframework.core.annotation.AnnotatedElementUtils;
 import org.springframework.core.annotation.MergedAnnotation;
 import org.springframework.core.annotation.MergedAnnotations;
+import org.springframework.data.mongodb.core.mapping.DBRef;
 import org.springframework.data.mongodb.core.mapping.Document;
 
 import java.beans.PropertyDescriptor;
@@ -217,9 +219,10 @@ public class BeanProperty {
             case LIST:
                 if (null != field) {
                     // 是附件，展现附件列表
-                    ReflectionUtils.getGenericType(field)
-                            .filter(property::isAttachment)
-                            .ifPresent(item -> property.prop("attachment", true));
+                    Class<?> elementClass = ReflectionUtils.getGenericType(field).orElse(Object.class);
+                    if (property.isAttachment(elementClass)) {
+                        property.prop("attachment", true);
+                    }
                     annotations
                             .as(SubBean.class)
                             .map(MergedAnnotation::synthesize)
@@ -245,6 +248,12 @@ public class BeanProperty {
                                 property.setType(BeanPropertyType.DB_REF);
                                 property.prop("uri", ref).prop("mode", "multiple");
                             }))
+                            .or()
+                            .as(DBRef.class)
+                            .then(a -> processDbRef(elementClass).ifPresent(ref -> {
+                                property.setType(BeanPropertyType.DB_REF);
+                                property.prop("uri", ref).prop("mode", "multiple");
+                            }))
                             .end();
                 }
                 break;
@@ -338,7 +347,11 @@ public class BeanProperty {
      */
     private static Optional<String> processDbRef(Class<?> clazz) {
         return Optional.ofNullable(AnnotatedElementUtils.findMergedAnnotation(clazz, Document.class))
-                .map(Document::value);
+                .map(document -> {
+                    String collection = document.value();
+                    return StringUtils.isNotBlank(collection) ? collection :
+                            BeanUris.getUri(clazz).orElse(StringFormats.camel2Line(clazz.getSimpleName()));
+                });
     }
 
     /**
diff --git a/flyfish-web/src/main/java/com/flyfish/framework/beans/meta/builtin/BeanUris.java b/flyfish-web/src/main/java/com/flyfish/framework/beans/meta/builtin/BeanUris.java
new file mode 100644
index 0000000..074bd39
--- /dev/null
+++ b/flyfish-web/src/main/java/com/flyfish/framework/beans/meta/builtin/BeanUris.java
@@ -0,0 +1,37 @@
+package com.flyfish.framework.beans.meta.builtin;
+
+import com.flyfish.framework.domain.po.Department;
+import com.flyfish.framework.domain.po.Permission;
+import com.flyfish.framework.domain.po.Role;
+import com.flyfish.framework.domain.po.User;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Optional;
+
+/**
+ * 内置的uris
+ *
+ * @author wangyu
+ */
+public class BeanUris {
+
+    private static final Map<Class<?>, String> uris = new HashMap<>();
+
+    static {
+        uris.put(User.class, "users");
+        uris.put(Department.class, "departments");
+        uris.put(Role.class, "roles");
+        uris.put(Permission.class, "permissions");
+    }
+
+    /**
+     * 获取uri
+     *
+     * @param clazz 类
+     * @return 结果
+     */
+    public static Optional<String> getUri(Class<?> clazz) {
+        return Optional.ofNullable(uris.get(clazz));
+    }
+}