diff --git a/prisma/migrations/20250814060937_add_updated_at_to_work_step/migration.sql b/prisma/migrations/20250814060937_add_updated_at_to_work_step/migration.sql
new file mode 100644
index 0000000..d1bf6c5
--- /dev/null
+++ b/prisma/migrations/20250814060937_add_updated_at_to_work_step/migration.sql
@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "RequestWorkStepStatus" ADD COLUMN     "updatedAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP;
diff --git a/prisma/schema.prisma b/prisma/schema.prisma
index 9cf97fd..00bd192 100644
--- a/prisma/schema.prisma
+++ b/prisma/schema.prisma
@@ -1612,6 +1612,7 @@ model RequestWork {
 model RequestWorkStepStatus {
   step       Int
   workStatus RequestWorkStatus @default(Pending)
+  updatedAt  DateTime          @default(now()) @updatedAt
 
   requestWork   RequestWork @relation(fields: [requestWorkId], references: [id], onDelete: Cascade)
   requestWorkId String
diff --git a/src/controllers/03-customer-branch-controller.ts b/src/controllers/03-customer-branch-controller.ts
index aada50c..eda1546 100644
--- a/src/controllers/03-customer-branch-controller.ts
+++ b/src/controllers/03-customer-branch-controller.ts
@@ -623,7 +623,7 @@ export class CustomerBranchFileController extends Controller {
       },
     });
     if (!data) throw notFoundError("Customer Branch");
-    await permissionCheck(user, data.customer.registeredBranch);
+    await permissionCheckCompany(user, data.customer.registeredBranch);
   }
 
   @Get("attachment")
diff --git a/src/controllers/03-employee-controller.ts b/src/controllers/03-employee-controller.ts
index 99d69ef..411b817 100644
--- a/src/controllers/03-employee-controller.ts
+++ b/src/controllers/03-employee-controller.ts
@@ -65,7 +65,9 @@ function globalAllow(user: RequestWithUser["user"]) {
   return user.roles?.some((v) => listAllowed.includes(v)) || false;
 }
 
+const permissionCondCompany = createPermCondition((_) => true);
 const permissionCond = createPermCondition(globalAllow);
+const permissionCheckCompany = createPermCheck((_) => true);
 const permissionCheck = createPermCheck(globalAllow);
 
 type EmployeeCreate = {
@@ -669,7 +671,7 @@ export class EmployeeFileController extends Controller {
       },
     });
     if (!data) throw notFoundError("Employee");
-    await permissionCheck(user, data.customerBranch.customer.registeredBranch);
+    await permissionCheckCompany(user, data.customerBranch.customer.registeredBranch);
   }
 
   @Get("image")