diff --git a/src/controllers/customer-branch-controller.ts b/src/controllers/customer-branch-controller.ts
index 020d5fb..5a8de8a 100644
--- a/src/controllers/customer-branch-controller.ts
+++ b/src/controllers/customer-branch-controller.ts
@@ -24,6 +24,15 @@ if (!process.env.MINIO_BUCKET) {
 }
 
 const MINIO_BUCKET = process.env.MINIO_BUCKET;
+const MANAGE_ROLES = [
+  "system",
+  "head_of_admin",
+  "admin",
+  "branch_admin",
+  "branch_manager",
+  "head_of_sale",
+  "sale",
+];
 
 function imageLocation(id: string) {
   return `employee/profile-img-${id}`;
@@ -40,6 +49,7 @@ export type CustomerBranchCreate = {
 
   legalPersonNo: string;
 
+  branchNo: number;
   taxNo: string | null;
   name: string;
   nameEN: string;
@@ -105,9 +115,9 @@ export type CustomerBranchUpdate = {
 
 @Route("api/v1/customer-branch")
 @Tags("Customer Branch")
-@Security("keycloak")
 export class CustomerBranchController extends Controller {
   @Get()
+  @Security("keycloak")
   async list(
     @Query() zipCode?: string,
     @Query() customerId?: string,
@@ -173,6 +183,7 @@ export class CustomerBranchController extends Controller {
   }
 
   @Get("{branchId}")
+  @Security("keycloak")
   async getById(@Path() branchId: string) {
     const record = await prisma.customerBranch.findFirst({
       include: {
@@ -193,6 +204,7 @@ export class CustomerBranchController extends Controller {
   }
 
   @Get("{branchId}/employee")
+  @Security("keycloak")
   async listEmployee(
     @Path() branchId: string,
     @Query() zipCode?: string,
@@ -245,6 +257,7 @@ export class CustomerBranchController extends Controller {
   }
 
   @Post()
+  @Security("keycloak", MANAGE_ROLES)
   async create(@Request() req: RequestWithUser, @Body() body: CustomerBranchCreate) {
     const [province, district, subDistrict, customer] = await prisma.$transaction([
       prisma.province.findFirst({ where: { id: body.provinceId || undefined } }),
@@ -281,9 +294,16 @@ export class CustomerBranchController extends Controller {
 
     const record = await prisma.$transaction(
       async (tx) => {
-        const count = await tx.customerBranch.count({
-          where: { customerId },
+        const conflict = await tx.customerBranch.findFirst({
+          where: { customerId, branchNo: rest.branchNo },
         });
+        if (conflict) {
+          throw new HttpError(
+            HttpStatus.BAD_REQUEST,
+            "Branch with current no already exists.",
+            "branchSameNoExist",
+          );
+        }
 
         return await tx.customerBranch.create({
           include: {
@@ -296,8 +316,7 @@ export class CustomerBranchController extends Controller {
           data: {
             ...rest,
             statusOrder: +(rest.status === "INACTIVE"),
-            branchNo: count + 1,
-            code: `${customer.code}-${(count + 1).toString().padStart(2, "0")}`,
+            code: `${customer.code}-${rest.branchNo.toString().padStart(2, "0")}`,
             customer: { connect: { id: customerId } },
             province: { connect: provinceId ? { id: provinceId } : undefined },
             district: { connect: districtId ? { id: districtId } : undefined },
@@ -321,6 +340,7 @@ export class CustomerBranchController extends Controller {
   }
 
   @Put("{branchId}")
+  @Security("keycloak", MANAGE_ROLES)
   async editById(
     @Request() req: RequestWithUser,
     @Body() body: CustomerBranchUpdate,
@@ -400,6 +420,7 @@ export class CustomerBranchController extends Controller {
   }
 
   @Delete("{branchId}")
+  @Security("keycloak", MANAGE_ROLES)
   async delete(@Path() branchId: string) {
     const record = await prisma.customerBranch.findFirst({
       where: { id: branchId },