diff --git a/src/common/security/rbac/context.go b/src/common/security/rbac/context.go
index f72e6452d..eccf02d28 100644
--- a/src/common/security/rbac/context.go
+++ b/src/common/security/rbac/context.go
@@ -17,20 +17,20 @@ package rbac
 import (
 	"github.com/vmware/harbor/src/common"
 	"github.com/vmware/harbor/src/common/models"
-	"github.com/vmware/harbor/src/ui/pms"
+	"github.com/vmware/harbor/src/ui/pm"
 )
 
 // SecurityContext implements security.Context interface based on database
 type SecurityContext struct {
 	user *models.User
-	pms  pms.PMS
+	pm   pm.PM
 }
 
 // NewSecurityContext ...
-func NewSecurityContext(user *models.User, pms pms.PMS) *SecurityContext {
+func NewSecurityContext(user *models.User, pm pm.PM) *SecurityContext {
 	return &SecurityContext{
 		user: user,
-		pms:  pms,
+		pm:   pm,
 	}
 }
 
@@ -60,7 +60,7 @@ func (s *SecurityContext) IsSysAdmin() bool {
 // HasReadPerm returns whether the user has read permission to the project
 func (s *SecurityContext) HasReadPerm(projectIDOrName interface{}) bool {
 	// public project
-	if s.pms.IsPublic(projectIDOrName) {
+	if s.pm.IsPublic(projectIDOrName) {
 		return true
 	}
 
@@ -74,7 +74,7 @@ func (s *SecurityContext) HasReadPerm(projectIDOrName interface{}) bool {
 		return true
 	}
 
-	roles := s.pms.GetRoles(s.GetUsername(), projectIDOrName)
+	roles := s.pm.GetRoles(s.GetUsername(), projectIDOrName)
 	for _, role := range roles {
 		switch role {
 		case common.RoleProjectAdmin,
@@ -98,7 +98,7 @@ func (s *SecurityContext) HasWritePerm(projectIDOrName interface{}) bool {
 		return true
 	}
 
-	roles := s.pms.GetRoles(s.GetUsername(), projectIDOrName)
+	roles := s.pm.GetRoles(s.GetUsername(), projectIDOrName)
 	for _, role := range roles {
 		switch role {
 		case common.RoleProjectAdmin,
@@ -120,7 +120,7 @@ func (s *SecurityContext) HasAllPerm(projectIDOrName interface{}) bool {
 		return true
 	}
 
-	roles := s.pms.GetRoles(s.GetUsername(), projectIDOrName)
+	roles := s.pm.GetRoles(s.GetUsername(), projectIDOrName)
 	for _, role := range roles {
 		switch role {
 		case common.RoleProjectAdmin:
diff --git a/src/common/security/rbac/context_test.go b/src/common/security/rbac/context_test.go
index 52aabd39e..ef297c1be 100644
--- a/src/common/security/rbac/context_test.go
+++ b/src/common/security/rbac/context_test.go
@@ -22,15 +22,15 @@ import (
 	"github.com/vmware/harbor/src/common/models"
 )
 
-type fakePMS struct {
+type fakePM struct {
 	public string
 	roles  map[string][]int
 }
 
-func (f *fakePMS) IsPublic(projectIDOrName interface{}) bool {
+func (f *fakePM) IsPublic(projectIDOrName interface{}) bool {
 	return f.public == projectIDOrName.(string)
 }
-func (f *fakePMS) GetRoles(username string, projectIDOrName interface{}) []int {
+func (f *fakePM) GetRoles(username string, projectIDOrName interface{}) []int {
 	return f.roles[projectIDOrName.(string)]
 }
 
@@ -78,7 +78,7 @@ func TestIsSysAdmin(t *testing.T) {
 }
 
 func TestHasReadPerm(t *testing.T) {
-	pms := &fakePMS{
+	pm := &fakePM{
 		public: "public_project",
 		roles: map[string][]int{
 			"has_read_perm_project": []int{common.RoleGuest},
@@ -86,35 +86,35 @@ func TestHasReadPerm(t *testing.T) {
 	}
 
 	// public project, unauthenticated
-	ctx := NewSecurityContext(nil, pms)
+	ctx := NewSecurityContext(nil, pm)
 	assert.True(t, ctx.HasReadPerm("public_project"))
 
 	// private project, unauthenticated
-	ctx = NewSecurityContext(nil, pms)
+	ctx = NewSecurityContext(nil, pm)
 	assert.False(t, ctx.HasReadPerm("has_read_perm_project"))
 
 	// private project, authenticated, has no perm
 	ctx = NewSecurityContext(&models.User{
 		Username: "test",
-	}, pms)
+	}, pm)
 	assert.False(t, ctx.HasReadPerm("has_no_perm_project"))
 
 	// private project, authenticated, has read perm
 	ctx = NewSecurityContext(&models.User{
 		Username: "test",
-	}, pms)
+	}, pm)
 	assert.True(t, ctx.HasReadPerm("has_read_perm_project"))
 
 	// private project, authenticated, system admin
 	ctx = NewSecurityContext(&models.User{
 		Username:     "test",
 		HasAdminRole: 1,
-	}, pms)
+	}, pm)
 	assert.True(t, ctx.HasReadPerm("has_no_perm_project"))
 }
 
 func TestHasWritePerm(t *testing.T) {
-	pms := &fakePMS{
+	pm := &fakePM{
 		roles: map[string][]int{
 			"has_read_perm_project":  []int{common.RoleGuest},
 			"has_write_perm_project": []int{common.RoleGuest, common.RoleDeveloper},
@@ -122,31 +122,31 @@ func TestHasWritePerm(t *testing.T) {
 	}
 
 	// unauthenticated
-	ctx := NewSecurityContext(nil, pms)
+	ctx := NewSecurityContext(nil, pm)
 	assert.False(t, ctx.HasWritePerm("has_write_perm_project"))
 
 	// authenticated, has read perm
 	ctx = NewSecurityContext(&models.User{
 		Username: "test",
-	}, pms)
+	}, pm)
 	assert.False(t, ctx.HasWritePerm("has_read_perm_project")) // authenticated, has read perm
 
 	// authenticated, has write perm
 	ctx = NewSecurityContext(&models.User{
 		Username: "test",
-	}, pms)
+	}, pm)
 	assert.True(t, ctx.HasWritePerm("has_write_perm_project"))
 
 	// authenticated, system admin
 	ctx = NewSecurityContext(&models.User{
 		Username:     "test",
 		HasAdminRole: 1,
-	}, pms)
+	}, pm)
 	assert.True(t, ctx.HasReadPerm("has_no_perm_project"))
 }
 
 func TestHasAllPerm(t *testing.T) {
-	pms := &fakePMS{
+	pm := &fakePM{
 		roles: map[string][]int{
 			"has_read_perm_project":  []int{common.RoleGuest},
 			"has_write_perm_project": []int{common.RoleGuest, common.RoleDeveloper},
@@ -155,31 +155,31 @@ func TestHasAllPerm(t *testing.T) {
 	}
 
 	// unauthenticated
-	ctx := NewSecurityContext(nil, pms)
+	ctx := NewSecurityContext(nil, pm)
 	assert.False(t, ctx.HasAllPerm("has_all_perm_project"))
 
 	// authenticated, has read perm
 	ctx = NewSecurityContext(&models.User{
 		Username: "test",
-	}, pms)
+	}, pm)
 	assert.False(t, ctx.HasAllPerm("has_read_perm_project"))
 
 	// authenticated, has write perm
 	ctx = NewSecurityContext(&models.User{
 		Username: "test",
-	}, pms)
+	}, pm)
 	assert.False(t, ctx.HasAllPerm("has_write_perm_project"))
 
 	// authenticated, has all perms
 	ctx = NewSecurityContext(&models.User{
 		Username: "test",
-	}, pms)
+	}, pm)
 	assert.True(t, ctx.HasAllPerm("has_all_perm_project"))
 
 	// authenticated, system admin
 	ctx = NewSecurityContext(&models.User{
 		Username:     "test",
 		HasAdminRole: 1,
-	}, pms)
+	}, pm)
 	assert.True(t, ctx.HasReadPerm("has_no_perm_project"))
 }
diff --git a/src/ui/pm/db/pm.go b/src/ui/pm/db/pm.go
new file mode 100644
index 000000000..cabe127ff
--- /dev/null
+++ b/src/ui/pm/db/pm.go
@@ -0,0 +1,110 @@
+// Copyright (c) 2017 VMware, Inc. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package db
+
+import (
+	"github.com/vmware/harbor/src/common"
+	"github.com/vmware/harbor/src/common/dao"
+	"github.com/vmware/harbor/src/common/models"
+	"github.com/vmware/harbor/src/common/utils/log"
+)
+
+// PM implements pm.PM interface based on database
+type PM struct{}
+
+// IsPublic returns whether the project is public or not
+func (p *PM) IsPublic(projectIDOrName interface{}) bool {
+	var project *models.Project
+	var err error
+	switch projectIDOrName.(type) {
+	case string:
+		name := projectIDOrName.(string)
+		project, err = dao.GetProjectByName(name)
+		if err != nil {
+			log.Errorf("failed to get project %s: %v", name, err)
+		}
+	case int64:
+		id := projectIDOrName.(int64)
+		project, err = dao.GetProjectByID(id)
+		if err != nil {
+			log.Errorf("failed to get project %d: %v", id, err)
+		}
+	default:
+		log.Errorf("unsupported type of %v, must be string or int64", projectIDOrName)
+	}
+
+	if project == nil {
+		return false
+	}
+
+	return project.Public == 1
+}
+
+// GetRoles return a role list which contains the user's roles to the project
+func (p *PM) GetRoles(username string, projectIDOrName interface{}) []int {
+	roles := []int{}
+
+	user, err := dao.GetUser(models.User{
+		Username: username,
+	})
+	if err != nil {
+		log.Errorf("failed to get user %s: %v", username, err)
+		return roles
+	}
+	if user == nil {
+		return roles
+	}
+
+	var projectID int64
+	switch projectIDOrName.(type) {
+	case string:
+		name := projectIDOrName.(string)
+		project, err := dao.GetProjectByName(name)
+		if err != nil {
+			log.Errorf("failed to get project %s: %v", name, err)
+			return roles
+		}
+
+		if project == nil {
+			return roles
+		}
+		projectID = project.ProjectID
+	case int64:
+		projectID = projectIDOrName.(int64)
+	default:
+		log.Errorf("unsupported type of %v, must be string or int64", projectIDOrName)
+		return roles
+	}
+
+	roleList, err := dao.GetUserProjectRoles(user.UserID, projectID)
+	if err != nil {
+		log.Errorf("failed to get roles for user %d to project %d: %v",
+			user.UserID, projectID, err)
+		return roles
+	}
+
+	for _, role := range roleList {
+		switch role.RoleCode {
+		case "MDRWS":
+			roles = append(roles, common.RoleProjectAdmin)
+		case "RWS":
+			roles = append(roles, common.RoleDeveloper)
+		case "RS":
+			roles = append(roles, common.RoleGuest)
+		}
+	}
+
+	return roles
+}
diff --git a/src/ui/pm/db/pm_test.go b/src/ui/pm/db/pm_test.go
new file mode 100644
index 000000000..a106686c9
--- /dev/null
+++ b/src/ui/pm/db/pm_test.go
@@ -0,0 +1,106 @@
+// Copyright (c) 2017 VMware, Inc. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package db
+
+import (
+	"os"
+	"strconv"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/vmware/harbor/src/common"
+	"github.com/vmware/harbor/src/common/dao"
+	"github.com/vmware/harbor/src/common/models"
+	"github.com/vmware/harbor/src/common/utils/log"
+)
+
+func TestMain(m *testing.M) {
+	dbHost := os.Getenv("MYSQL_HOST")
+	if len(dbHost) == 0 {
+		log.Fatalf("environment variable MYSQL_HOST is not set")
+	}
+	dbPortStr := os.Getenv("MYSQL_PORT")
+	if len(dbPortStr) == 0 {
+		log.Fatalf("environment variable MYSQL_PORT is not set")
+	}
+	dbPort, err := strconv.Atoi(dbPortStr)
+	if err != nil {
+		log.Fatalf("invalid MYSQL_PORT: %v", err)
+	}
+	dbUser := os.Getenv("MYSQL_USR")
+	if len(dbUser) == 0 {
+		log.Fatalf("environment variable MYSQL_USR is not set")
+	}
+
+	dbPassword := os.Getenv("MYSQL_PWD")
+	dbDatabase := os.Getenv("MYSQL_DATABASE")
+	if len(dbDatabase) == 0 {
+		log.Fatalf("environment variable MYSQL_DATABASE is not set")
+	}
+
+	database := &models.Database{
+		Type: "mysql",
+		MySQL: &models.MySQL{
+			Host:     dbHost,
+			Port:     dbPort,
+			Username: dbUser,
+			Password: dbPassword,
+			Database: dbDatabase,
+		},
+	}
+
+	log.Infof("MYSQL_HOST: %s, MYSQL_USR: %s, MYSQL_PORT: %d, MYSQL_PWD: %s\n", dbHost, dbUser, dbPort, dbPassword)
+
+	if err := dao.InitDatabase(database); err != nil {
+		log.Fatalf("failed to initialize database: %v", err)
+	}
+
+	os.Exit(m.Run())
+}
+
+func TestIsPublic(t *testing.T) {
+	pms := &PM{}
+	// project name
+	assert.True(t, pms.IsPublic("library"))
+	// project ID
+	assert.True(t, pms.IsPublic(int64(1)))
+	// non exist project
+	assert.False(t, pms.IsPublic("non_exist_project"))
+	// invalid type
+	assert.False(t, pms.IsPublic(1))
+}
+
+func TestGetRoles(t *testing.T) {
+	pm := &PM{}
+
+	// non exist user
+	assert.Equal(t, []int{},
+		pm.GetRoles("non_exist_user", int64(1)))
+
+	// project ID
+	assert.Equal(t, []int{common.RoleProjectAdmin},
+		pm.GetRoles("admin", int64(1)))
+
+	// project name
+	assert.Equal(t, []int{common.RoleProjectAdmin},
+		pm.GetRoles("admin", "library"))
+
+	// non exist project
+	assert.Equal(t, []int{},
+		pm.GetRoles("admin", "non_exist_project"))
+
+	// invalid type
+	assert.Equal(t, []int{}, pm.GetRoles("admin", 1))
+}
diff --git a/src/ui/pm/pm.go b/src/ui/pm/pm.go
new file mode 100644
index 000000000..8a42fe9f0
--- /dev/null
+++ b/src/ui/pm/pm.go
@@ -0,0 +1,22 @@
+// Copyright (c) 2017 VMware, Inc. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//    http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package pm
+
+// PM is the project mamager which abstracts the operations related
+// to projects
+type PM interface {
+	IsPublic(projectIDOrName interface{}) bool
+	GetRoles(username string, projectIDOrName interface{}) []int
+}