diff --git a/BMA.EHR.Command.Service/Controllers/OrderController.cs b/BMA.EHR.Command.Service/Controllers/OrderController.cs
index e131ec3e..613e52f1 100644
--- a/BMA.EHR.Command.Service/Controllers/OrderController.cs
+++ b/BMA.EHR.Command.Service/Controllers/OrderController.cs
@@ -6431,6 +6431,12 @@ namespace BMA.EHR.Command.Service.Controllers
         {
             try
             {
+                var getPermission = await _permission.GetPermissionAPIAsync("CREATE", "COMMAND");
+                var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+                if (jsonData["status"]?.ToString() != "200")
+                {
+                    return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+                }
                 var token = string.Empty;
                 if (AuthenticationHeaderValue.TryParse(authorization, out var headerValue))
                 {
diff --git a/BMA.EHR.Discipline.Service/Controllers/DisciplineComplaint_ChannelController.cs b/BMA.EHR.Discipline.Service/Controllers/DisciplineComplaint_ChannelController.cs
index a9b42301..e1612970 100644
--- a/BMA.EHR.Discipline.Service/Controllers/DisciplineComplaint_ChannelController.cs
+++ b/BMA.EHR.Discipline.Service/Controllers/DisciplineComplaint_ChannelController.cs
@@ -60,7 +60,7 @@ namespace BMA.EHR.DisciplineComplaint_Channel.Service.Controllers
         [HttpGet()]
         public async Task<ActionResult<ResponseObject>> GetDiscipline(int page = 1, int pageSize = 25, string keyword = "")
         {
-            var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_DISCIPLINE_COMPLAIN");
+            var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_DISCIPLINE_INFO");
             var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
             if (jsonData["status"]?.ToString() != "200")
             {
diff --git a/BMA.EHR.Placement.Service/Controllers/PlacementTransferController.cs b/BMA.EHR.Placement.Service/Controllers/PlacementTransferController.cs
index 3a148b74..38b9c196 100644
--- a/BMA.EHR.Placement.Service/Controllers/PlacementTransferController.cs
+++ b/BMA.EHR.Placement.Service/Controllers/PlacementTransferController.cs
@@ -618,6 +618,13 @@ namespace BMA.EHR.Placement.Service.Controllers
         [HttpGet("confirm/{id:length(36)}")]
         public async Task<ActionResult<ResponseObject>> AdminConfirm(Guid id)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("UPDATE", "SYS_TRANSFER_REQ");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
+
             var uppdated = await _context.PlacementTransfers
                             .FirstOrDefaultAsync(x => x.Id == id);
             if (uppdated == null)
diff --git a/BMA.EHR.Retirement.Service/Controllers/RetirementDeceasedController.cs b/BMA.EHR.Retirement.Service/Controllers/RetirementDeceasedController.cs
index b8828a06..1585fcac 100644
--- a/BMA.EHR.Retirement.Service/Controllers/RetirementDeceasedController.cs
+++ b/BMA.EHR.Retirement.Service/Controllers/RetirementDeceasedController.cs
@@ -82,6 +82,12 @@ namespace BMA.EHR.Retirement.Service.Controllers
         [HttpGet()]
         public async Task<ActionResult<ResponseObject>> GetList()
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_PASSAWAY");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var rootId = "";
             var child1Id = "";
             var child2Id = "";
diff --git a/BMA.EHR.Retirement.Service/Controllers/RetirementResignController.cs b/BMA.EHR.Retirement.Service/Controllers/RetirementResignController.cs
index 7d4196cd..774a529f 100644
--- a/BMA.EHR.Retirement.Service/Controllers/RetirementResignController.cs
+++ b/BMA.EHR.Retirement.Service/Controllers/RetirementResignController.cs
@@ -174,7 +174,12 @@ namespace BMA.EHR.Retirement.Service.Controllers
         [HttpGet()]
         public async Task<ActionResult<ResponseObject>> GetListByAdmin()
         {
-
+            var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_RESIGN");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var retirementResigns = await _context.RetirementResigns.AsQueryable()
                         .OrderByDescending(x => x.CreatedAt)
                         .Select(p => new
@@ -1083,6 +1088,12 @@ $"คำขอลาออกของ {updated.prefix}{updated.firstName} {upda
         [HttpGet("questionnaire")]
         public async Task<ActionResult<ResponseObject>> GetListQuestion()
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_RESIGN_INTERVIEW");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var data = await _context.RetirementQuestions.AsQueryable()
                         .OrderByDescending(x => x.CreatedAt)
                         .Select(p => new