diff --git a/server/crm/src/main/java/com/pudonghot/ambition/crm/service/CustomerPermissionService.java b/server/crm/src/main/java/com/pudonghot/ambition/crm/service/CustomerPermissionService.java
new file mode 100644
index 0000000..d73b526
--- /dev/null
+++ b/server/crm/src/main/java/com/pudonghot/ambition/crm/service/CustomerPermissionService.java
@@ -0,0 +1,30 @@
+package com.pudonghot.ambition.crm.service;
+
+import me.chyxion.tigon.service.BaseCrudService;
+import com.pudonghot.ambition.crm.model.CustomerPermission;
+
+/**
+ * @author Shaun Chyxion <br>
+ * chyxion@163.com <br>
+ * Apr 30, 2018 10:30:16
+ */
+public interface CustomerPermissionService
+    extends BaseCrudService<String,
+        CustomerPermission> {
+
+    /**
+     * create new customer permission
+     * @param customerId customer id
+     * @param account account
+     * @param operator operator
+     */
+    void create(final String customerId, final String account, final String operator);
+
+    /**
+     * delete customer permission
+     * @param customerId customer id
+     * @param account account
+     */
+    void delete(final String customerId, final String account);
+}
+
diff --git a/server/crm/src/main/java/com/pudonghot/ambition/crm/service/UserService.java b/server/crm/src/main/java/com/pudonghot/ambition/crm/service/UserService.java
index 2ec2e70..d0b709f 100644
--- a/server/crm/src/main/java/com/pudonghot/ambition/crm/service/UserService.java
+++ b/server/crm/src/main/java/com/pudonghot/ambition/crm/service/UserService.java
@@ -45,5 +45,7 @@ public interface UserService
     @NotNull ViewModel<User> updatePassword(
         @NotBlank String userId,
         @Valid UserFormForUpdatePassword form);
+
+    @NotBlank String findAccount(@NotBlank String id);
 }
 
diff --git a/server/crm/src/main/java/com/pudonghot/ambition/crm/service/support/ApplicationServiceSupport.java b/server/crm/src/main/java/com/pudonghot/ambition/crm/service/support/ApplicationServiceSupport.java
index a988dbb..ac82cfc 100644
--- a/server/crm/src/main/java/com/pudonghot/ambition/crm/service/support/ApplicationServiceSupport.java
+++ b/server/crm/src/main/java/com/pudonghot/ambition/crm/service/support/ApplicationServiceSupport.java
@@ -6,23 +6,22 @@ import java.util.ArrayList;
 import java.io.IOException;
 import java.io.InputStream;
 import lombok.extern.slf4j.Slf4j;
+import java.util.function.Consumer;
 import me.chyxion.tigon.mybatis.Search;
 import org.springframework.util.Assert;
 import me.chyxion.tigon.model.ViewModel;
+import com.pudonghot.ambition.crm.model.*;
+import com.pudonghot.ambition.crm.mapper.*;
+import org.apache.commons.lang3.StringUtils;
 import org.springframework.stereotype.Service;
 import com.pudonghot.ambition.file.DiskFileApi;
-import com.pudonghot.ambition.crm.model.FileInfo;
-import com.pudonghot.ambition.crm.model.Application;
+import com.pudonghot.ambition.crm.service.UserService;
 import org.springframework.web.multipart.MultipartFile;
-import com.pudonghot.ambition.crm.model.ApplicationImage;
-import com.pudonghot.ambition.crm.mapper.ApplicationMapper;
-import com.pudonghot.ambition.crm.model.CustomerApplication;
 import com.pudonghot.ambition.crm.service.ApplicationService;
 import org.springframework.beans.factory.annotation.Autowired;
 import me.chyxion.tigon.service.support.BaseCrudServiceSupport;
 import org.springframework.transaction.annotation.Transactional;
-import com.pudonghot.ambition.crm.mapper.ApplicationImageMapper;
-import com.pudonghot.ambition.crm.mapper.CustomerApplicationMapper;
+import com.pudonghot.ambition.crm.service.CustomerPermissionService;
 import com.pudonghot.ambition.crm.form.update.ApplicationFormForUpdate;
 import com.pudonghot.ambition.crm.form.create.ApplicationFormForCreate;
 import com.pudonghot.ambition.crm.form.create.ApplicationImageFormForCreate;
@@ -44,7 +43,13 @@ public class ApplicationServiceSupport
     @Autowired
     private DiskFileApi fileApi;
     @Autowired
+    private CustomerMapper customerMapper;
+    @Autowired
     private CustomerApplicationMapper customerApplicationMapper;
+    @Autowired
+    private UserService userService;
+    @Autowired
+    private CustomerPermissionService customerPermissionService;
 
     /**
      * {@inheritDoc}
@@ -68,9 +73,40 @@ public class ApplicationServiceSupport
     @Override
     public ViewModel<Application> update(final ApplicationFormForUpdate form) {
         final String updatedBy = form.getUpdatedBy();
-        final Application application = validatePerm(form.getId(), updatedBy, form.isAdmin());
+        final boolean admin = form.isAdmin();
+        final Application application = validatePerm(form.getId(), updatedBy, admin);
+        final String oldOwner = application.getOwner();
+        final String newOwner = form.getOwner();
         form.copy(application);
-        if (!form.isAdmin()) {
+
+        if (admin) {
+            final boolean hasOldOwner = StringUtils.isNotBlank(oldOwner);
+            final boolean hasNewOwner = StringUtils.isNotBlank(newOwner);
+
+            if (hasOldOwner && !hasNewOwner) {
+                // removed
+                final String oldOwnerAccount = userService.findAccount(oldOwner);
+                iterateCustomerOfApplication(application.getId(),
+                    customerId -> customerPermissionService.delete(customerId, oldOwnerAccount));
+            }
+            else if (!hasOldOwner && hasNewOwner) {
+                // add
+                final String newOwnerAccount = userService.findAccount(newOwner);
+                iterateCustomerOfApplication(application.getId(),
+                    customerId -> customerPermissionService.create(customerId, newOwnerAccount, updatedBy));
+            }
+            else if (hasOldOwner && hasNewOwner &&
+                !StringUtils.equals(oldOwner, newOwner)) {
+                // update
+                final String oldOwnerAccount = userService.findAccount(oldOwner);
+                final String newOwnerAccount = userService.findAccount(newOwner);
+                iterateCustomerOfApplication(application.getId(), customerId -> {
+                    customerPermissionService.delete(customerId, oldOwnerAccount);
+                    customerPermissionService.create(customerId, newOwnerAccount, updatedBy);
+                });
+            }
+        }
+        else {
             application.setOwner(updatedBy);
         }
         return update(application);
@@ -223,4 +259,21 @@ public class ApplicationServiceSupport
             "No permission to update application");
         return application;
     }
+
+    private List<Customer> listCustomerOfApplication(final Search search) {
+        return customerMapper.listOfApplication(search.getAttr("appId"), search.offset(), search.limit());
+    }
+
+    private int countCustomerOfApplication(final Search search) {
+        return customerMapper.countOfApplication(search.getAttr("appId"));
+    }
+
+    private void iterateCustomerOfApplication(final String appId, final Consumer<String> consumer) {
+        scan(512, new Search().setAttr("appId", appId),
+            this::listCustomerOfApplication,
+            this::countCustomerOfApplication, customer -> {
+                consumer.accept(customer.getId());
+                return false;
+            });
+    }
 }
diff --git a/server/crm/src/main/java/com/pudonghot/ambition/crm/service/support/CustomerPermissionServiceSupport.java b/server/crm/src/main/java/com/pudonghot/ambition/crm/service/support/CustomerPermissionServiceSupport.java
new file mode 100644
index 0000000..b2dcb18
--- /dev/null
+++ b/server/crm/src/main/java/com/pudonghot/ambition/crm/service/support/CustomerPermissionServiceSupport.java
@@ -0,0 +1,56 @@
+package com.pudonghot.ambition.crm.service.support;
+
+import java.util.Date;
+import lombok.extern.slf4j.Slf4j;
+import me.chyxion.tigon.mybatis.Search;
+import org.springframework.stereotype.Service;
+import com.pudonghot.ambition.crm.model.CustomerPermission;
+import me.chyxion.tigon.service.support.BaseCrudServiceSupport;
+import com.pudonghot.ambition.crm.mapper.CustomerPermissionMapper;
+import com.pudonghot.ambition.crm.service.CustomerPermissionService;
+
+/**
+ * @author Shaun Chyxion <br>
+ * chyxion@163.com <br>
+ * Apr 30, 2018 10:31:35
+ */
+@Slf4j
+@Service
+public class CustomerPermissionServiceSupport
+    extends BaseCrudServiceSupport<String,
+        CustomerPermission,
+        CustomerPermissionMapper>
+    implements CustomerPermissionService {
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public void create(final String customerId, final String account, final String operator) {
+        if (mapper.find(new Search(CustomerPermission.CUSTOMER_ID, customerId)
+                .eq(CustomerPermission.USER_ACCOUNT, account)) == null) {
+
+            final CustomerPermission permission = new CustomerPermission();
+            permission.setId(idSeq.get());
+            permission.setType(CustomerPermission.Type.APPLICATION);
+            permission.setCustomerId(customerId);
+            permission.setUserAccount(account);
+            permission.setEnabled(true);
+            permission.setCreatedBy(operator);
+            permission.setDateCreated(new Date());
+            log.info("Insert customer permission [{}].", permission);
+            mapper.insert(permission);
+        }
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    public void delete(final String customerId, final String account) {
+        log.info("remove customer [{}] account [{}] permission.", customerId, account);
+        mapper.delete(new Search(CustomerPermission.CUSTOMER_ID, customerId)
+            .eq(CustomerPermission.USER_ACCOUNT, account)
+            .eq(CustomerPermission.TYPE, CustomerPermission.Type.APPLICATION));
+    }
+}
diff --git a/server/crm/src/main/java/com/pudonghot/ambition/crm/service/support/CustomerServiceSupport.java b/server/crm/src/main/java/com/pudonghot/ambition/crm/service/support/CustomerServiceSupport.java
index f6948df..b238770 100644
--- a/server/crm/src/main/java/com/pudonghot/ambition/crm/service/support/CustomerServiceSupport.java
+++ b/server/crm/src/main/java/com/pudonghot/ambition/crm/service/support/CustomerServiceSupport.java
@@ -22,6 +22,7 @@ import com.pudonghot.ambition.crm.service.UserService;
 import com.pudonghot.ambition.crm.service.CustomerService;
 import org.springframework.beans.factory.annotation.Autowired;
 import com.pudonghot.ambition.crm.service.CustomerIssueService;
+import com.pudonghot.ambition.crm.service.CustomerPermissionService;
 import com.pudonghot.ambition.crm.form.create.CustomerFormForCreate;
 import com.pudonghot.ambition.crm.form.update.CustomerFormForUpdate;
 import me.chyxion.tigon.service.support.BaseCrudByFormServiceSupport;
@@ -42,6 +43,8 @@ public class CustomerServiceSupport
     @Autowired
     private UserService userService;
     @Autowired
+    private CustomerPermissionService customerPermissionService;
+    @Autowired
     private CustomerPermissionMapper customerPermissionMapper;
     @Autowired
     private CustomerIssueService customerIssueService;
@@ -161,6 +164,10 @@ public class CustomerServiceSupport
         final String customerId = form.getId();
         customerApplicationMapper.delete(
             new Search(CustomerApplication.CUSTOMER_ID, customerId));
+        customerPermissionMapper.delete(
+            new Search(CustomerPermission.CUSTOMER_ID, customerId)
+                .eq(CustomerPermission.TYPE, CustomerPermission.Type.APPLICATION));
+
         final String[] applications = form.getApplications();
         if (applications != null && applications.length > 0) {
             final String operator = form.getUpdatedBy();
@@ -172,13 +179,23 @@ public class CustomerServiceSupport
                     "No application [" + applicationId + "] found");
                 Assert.state(application.isEnabled(),
                     "Application [" + application.getName() + "] is disabled");
+
                 final CustomerApplication customerApplication = new CustomerApplication();
                 customerApplication.setId(idSeq.get());
+                customerApplication.setEnabled(true);
                 customerApplication.setCustomerId(customerId);
                 customerApplication.setApplicationId(applicationId);
                 customerApplication.setCreatedBy(operator);
                 customerApplication.setDateCreated(now);
                 customerApplicationMapper.insert(customerApplication);
+
+                final String applicationOwner = application.getOwner();
+                if (StringUtils.isNotBlank(applicationOwner)) {
+                    log.info("Add application owner [{}] customer [{}] permission.",
+                        applicationOwner, customerId);
+                    customerPermissionService.create(customerId,
+                        userService.findAccount(applicationOwner), operator);
+                }
             }
         }
         return super.update(form);
@@ -392,9 +409,10 @@ public class CustomerServiceSupport
 
                             if (StringUtils.isNotBlank(account)) {
                                 final CustomerPermission permOld = customerPermissionMapper.find(
-                                        new Search(CustomerPermission.CUSTOMER_ID, customerId)
-                                                .eq(CustomerPermission.USER_ACCOUNT, account));
+                                    new Search(CustomerPermission.CUSTOMER_ID, customerId)
+                                        .eq(CustomerPermission.USER_ACCOUNT, account));
                                 if (permOld != null) {
+                                    permOld.setType(CustomerPermission.Type.SYSTEM);
                                     permOld.setUpdatedBy(operator);
                                     permOld.setDateUpdated(date);
                                     permOld.setEnabled(true);
@@ -403,6 +421,7 @@ public class CustomerServiceSupport
                                 }
                                 else {
                                     permission.setId(idSeq.get());
+                                    permission.setType(CustomerPermission.Type.SYSTEM);
                                     permission.setCustomerId(customerId);
                                     permission.setUserAccount(account);
                                     permission.setEnabled(true);
diff --git a/server/crm/src/main/java/com/pudonghot/ambition/crm/service/support/UserServiceSupport.java b/server/crm/src/main/java/com/pudonghot/ambition/crm/service/support/UserServiceSupport.java
index 3d0a9b9..398b11d 100644
--- a/server/crm/src/main/java/com/pudonghot/ambition/crm/service/support/UserServiceSupport.java
+++ b/server/crm/src/main/java/com/pudonghot/ambition/crm/service/support/UserServiceSupport.java
@@ -3,7 +3,6 @@ package com.pudonghot.ambition.crm.service.support;
 import java.util.List;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.util.Assert;
-import me.chyxion.tigon.mybatis.Search;
 import me.chyxion.tigon.model.ViewModel;
 import org.apache.commons.lang3.StringUtils;
 import com.pudonghot.ambition.crm.model.User;
@@ -78,12 +77,12 @@ public class UserServiceSupport
     @Override
     public ViewModel<User> updatePassword(final String userId, final UserFormForUpdatePassword form) {
         Assert.state(form.getPassword().equals(form.getConfirmPassword()),
-            "确认密码不匹配新密码");
+            "Repeat password does not match");
 
         final User user = mapper.find(userId);
-        Assert.state(user != null, "No User [" + userId + "] Found");
+        Assert.state(user != null, "No user [" + userId + "] found");
         Assert.state(hashPassword(userId, form.getOriginPassword())
-            .equals((user.getPassword())), "原始密码错误");
+            .equals((user.getPassword())), "Incorrect origin password");
 
         user.setPassword(hashPassword(userId, form.getPassword()));
         return update(user);
@@ -93,7 +92,17 @@ public class UserServiceSupport
      * {@inheritDoc}
      */
     @Override
-    protected void beforeInsert(User model) {
+    public String findAccount(final String id) {
+        final User user = find(id);
+        Assert.state(user != null, "No user [" + id + "] found");
+        return user.getAccount();
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    @Override
+    protected void beforeInsert(final User model) {
         super.beforeInsert(model);
         model.setPassword(hashPassword(model.getId(), model.getPassword()));
     }
diff --git a/server/mapper/src/main/java/com/pudonghot/ambition/crm/mapper/CustomerMapper.java b/server/mapper/src/main/java/com/pudonghot/ambition/crm/mapper/CustomerMapper.java
index d03bf2f..baeb0ad 100644
--- a/server/mapper/src/main/java/com/pudonghot/ambition/crm/mapper/CustomerMapper.java
+++ b/server/mapper/src/main/java/com/pudonghot/ambition/crm/mapper/CustomerMapper.java
@@ -5,6 +5,8 @@ import java.util.List;
 import me.chyxion.tigon.mybatis.Search;
 import me.chyxion.tigon.mybatis.BaseMapper;
 import org.apache.ibatis.annotations.Param;
+
+import javax.validation.constraints.Min;
 import javax.validation.constraints.NotNull;
 import com.pudonghot.ambition.crm.model.Customer;
 import org.hibernate.validator.constraints.NotBlank;
@@ -34,6 +36,30 @@ public interface CustomerMapper extends BaseMapper<String, Customer> {
         @NotNull @Param("s") Search search,
         @Param("account") String account);
 
+    /**
+     * list customers of application
+     * @param appId app id
+     * @param offset offset
+     * @param limit limit
+     * @return customers
+     */
+    List<Customer> listOfApplication(
+        @NotBlank
+        @Param("appId") String appId,
+        @Min(0)
+        @Param("offset") int offset,
+        @Min(1)
+        @Param("limit") int limit);
+
+    /**
+     * count customers of application
+     * @param appId app id
+     * @return customer count of application
+     */
+    int countOfApplication(
+        @NotBlank
+        @Param("appId") String appId);
+
     /**
      * count for show
      * @param search search
diff --git a/server/mapper/src/main/java/com/pudonghot/ambition/crm/mapper/CustomerMapper.xml b/server/mapper/src/main/java/com/pudonghot/ambition/crm/mapper/CustomerMapper.xml
index abe6796..0b68508 100644
--- a/server/mapper/src/main/java/com/pudonghot/ambition/crm/mapper/CustomerMapper.xml
+++ b/server/mapper/src/main/java/com/pudonghot/ambition/crm/mapper/CustomerMapper.xml
@@ -138,6 +138,25 @@
 		and (status is null or status in ('STATUS_ACTIVE', 'STATUS_OCCASIONAL'))
 	</select>
 
+	<select id="listOfApplication" resultType="com.pudonghot.ambition.crm.model.Customer">
+		select <include refid="cols" />
+		from <include refid="table" />
+  		join (select customer_id
+			from crm_customer_application
+			where application_id = #{appId}) app
+		on id = app.customer_id
+        limit #{offset}, #{limit}
+	</select>
+
+	<select id="countOfApplication" resultType="int">
+		select count(1)
+		from <include refid="table" /> c
+		join crm_customer_application ca
+		on c.id = ca.customer_id
+		where ca.application_id = #{appId}
+	</select>
+
+
 	<sql id="showCols">
 		<foreach collection="new com.pudonghot.ambition.crm.model.Customer().cols('customer')" item="col" separator=", ">
 			${col}
diff --git a/server/model/src/main/java/com/pudonghot/ambition/crm/model/CustomerPermission.java b/server/model/src/main/java/com/pudonghot/ambition/crm/model/CustomerPermission.java
index bef7600..3b60a0c 100644
--- a/server/model/src/main/java/com/pudonghot/ambition/crm/model/CustomerPermission.java
+++ b/server/model/src/main/java/com/pudonghot/ambition/crm/model/CustomerPermission.java
@@ -20,9 +20,15 @@ public class CustomerPermission extends M3<String, String> {
     // Column Names
     public static final String USER_ACCOUNT = "user_account";
     public static final String CUSTOMER_ID = "customer_id";
+    public static final String TYPE = "type";
+
+    public enum Type {
+        SYSTEM,
+        APPLICATION
+    }
 
     // Properties
 	private String customerId;
     private String userAccount;
-
+    private Type type;
 }