diff --git a/src/controllers/03-employee-controller.ts b/src/controllers/03-employee-controller.ts
index 16af98f..3933284 100644
--- a/src/controllers/03-employee-controller.ts
+++ b/src/controllers/03-employee-controller.ts
@@ -403,7 +403,26 @@ export class EmployeeController extends Controller {
       prisma.subDistrict.findFirst({ where: { id: body.subDistrictId || undefined } }),
       prisma.customerBranch.findFirst({
         where: { id: body.customerBranchId },
-        include: { customer: true },
+        include: {
+          customer: {
+            include: {
+              registeredBranch: {
+                include: {
+                  user: {
+                    where: { userId: req.user.sub },
+                  },
+                  headOffice: {
+                    include: {
+                      user: {
+                        where: { userId: req.user.sub },
+                      },
+                    },
+                  },
+                },
+              },
+            },
+          },
+        },
       }),
     ]);
     if (body.provinceId !== province?.id)
@@ -430,6 +449,29 @@ export class EmployeeController extends Controller {
         "Customer Branch cannot be found.",
         "relationCustomerBranchNotFound",
       );
+    if (!isSystem(req.user)) {
+      const _branch = customerBranch.customer.registeredBranch;
+      const affilationBranch = _branch && _branch.user.length !== 0;
+      const affilationHeadBranch =
+        _branch && _branch.headOffice && _branch.headOffice.user.length !== 0;
+      if (!globalAllow(req.user)) {
+        if (!affilationBranch) {
+          throw new HttpError(
+            HttpStatus.FORBIDDEN,
+            "You do not have permission to perform this action.",
+            "noPermission",
+          );
+        }
+      } else {
+        if (!affilationBranch && !affilationHeadBranch) {
+          throw new HttpError(
+            HttpStatus.FORBIDDEN,
+            "You do not have permission to perform this action.",
+            "noPermission",
+          );
+        }
+      }
+    }
 
     const {
       provinceId,
@@ -568,7 +610,33 @@ export class EmployeeController extends Controller {
         where: { id: body.customerBranchId || undefined },
         include: { customer: true },
       }),
-      prisma.employee.findFirst({ where: { id: employeeId } }),
+      prisma.employee.findFirst({
+        where: { id: employeeId },
+        include: {
+          customerBranch: {
+            include: {
+              customer: {
+                include: {
+                  registeredBranch: {
+                    include: {
+                      user: {
+                        where: { userId: req.user.sub },
+                      },
+                      headOffice: {
+                        include: {
+                          user: {
+                            where: { userId: req.user.sub },
+                          },
+                        },
+                      },
+                    },
+                  },
+                },
+              },
+            },
+          },
+        },
+      }),
     ]);
     if (body.provinceId && !province)
       throw new HttpError(