diff --git a/inventory-backend/app/services/inbound/buy_service.py b/inventory-backend/app/services/inbound/buy_service.py
index caf6c04..83f92cd 100644
--- a/inventory-backend/app/services/inbound/buy_service.py
+++ b/inventory-backend/app/services/inbound/buy_service.py
@@ -351,11 +351,20 @@ class BuyInboundService:
             # ============================================================
             # 【行级数据隔离】基于 JWT 中的 company_name 进行过滤
             # ============================================================
+            from flask_jwt_extended import get_jwt
+            
             claims = get_jwt()
             user_role = claims.get('role', '').upper() if claims.get('role') else ''
             user_company = claims.get('company_name', '')
 
-            if user_role != 'SUPER_ADMIN':
+            # 获取用户权限列表（用于检查 global:cross_company 特权）
+            from app.services.auth_service import AuthService
+            user_perms = AuthService.get_user_permissions(user_role) if user_role else []
+            # 合并菜单和元素权限
+            all_perms = user_perms.get('menus', []) + user_perms.get('elements', [])
+            has_cross_company = 'global:cross_company' in all_perms or ('inbound_buy:*' in all_perms)
+
+            if user_role != 'SUPER_ADMIN' and not has_cross_company:
                 # 【显式拒绝越权】如果前端传了公司参数，且不是当前用户的公司，返回403
                 if company and company.strip() and company.strip() != user_company:
                     from flask import abort
@@ -364,7 +373,7 @@ class BuyInboundService:
                 if user_company:
                     query = query.filter(MaterialBase.company_name == user_company)
             else:
-                # 超级管理员：允许跨公司视角
+                # 超级管理员或拥有跨域特权：允许跨公司视角
                 if company and company.strip():
                     query = query.filter(MaterialBase.company_name == company.strip())
 
diff --git a/inventory-web/src/views/system/PermissionConfig.vue b/inventory-web/src/views/system/PermissionConfig.vue
index 5a3e924..cd99e4a 100644
--- a/inventory-web/src/views/system/PermissionConfig.vue
+++ b/inventory-web/src/views/system/PermissionConfig.vue
@@ -203,9 +203,26 @@ const fetchTree = async () => {
   try {
     const res: any = await getAllPermissionTree()
     if (res.code === 200) {
-      rawTreeData.value = res.data
-      // 初始化表格结构（此时没有勾选状态）
-      tableData.value = transformData(res.data)
+      // --- 注入全局特权虚拟节点 ---
+      const globalNode = {
+        id: 99999, // 虚拟ID
+        name: '🌍 全局系统特权',
+        code: 'global_privileges',
+        type: 'menu',
+        children: [
+          {
+            id: 999991,
+            name: '跨组织/跨区域数据查询',
+            code: 'global:cross_company',
+            type: 'element'
+          }
+        ]
+      };
+      // 将虚拟节点放在最前面，然后交给 transformData 处理
+      const rawData = [globalNode, ...(res.data || [])];
+      
+      rawTreeData.value = rawData;
+      tableData.value = transformData(rawData);
     }
   } catch (e) {
     ElMessage.error('加载权限配置失败')