diff --git a/BMA.EHR.Command.Service/Controllers/OrderController.cs b/BMA.EHR.Command.Service/Controllers/OrderController.cs
index fd2792db..e131ec3e 100644
--- a/BMA.EHR.Command.Service/Controllers/OrderController.cs
+++ b/BMA.EHR.Command.Service/Controllers/OrderController.cs
@@ -609,6 +609,13 @@ namespace BMA.EHR.Command.Service.Controllers
         {
             try
             {
+                var getPermission = await _permission.GetPermissionAPIAsync("LIST", "COMMAND");
+                var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+                if (jsonData["status"]?.ToString() != "200")
+                {
+                    return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+                }
+
                 var data = (await _repository.GetAllAsync())
                             .Select(d => new
                             {