diff --git a/BMA.EHR.Application/Repositories/MessageQueue/NotificationRepository.cs b/BMA.EHR.Application/Repositories/MessageQueue/NotificationRepository.cs
index 0f4b89d8..717069ce 100644
--- a/BMA.EHR.Application/Repositories/MessageQueue/NotificationRepository.cs
+++ b/BMA.EHR.Application/Repositories/MessageQueue/NotificationRepository.cs
@@ -97,12 +97,12 @@ namespace BMA.EHR.Application.Repositories.MessageQueue
                                 }).ToList();
 
                 var data_opens = await _dbContext.Set<Notification>()
-                                    .Where(x => x.KeycloakUserId == UserId)
+                                    .Where(x => x.ReceiverUserId == Guid.Parse(profileId))
                                     .Where(x => x.DeleteDate == null)
                                     .OrderByDescending(x => x.ReceiveDate)
                                     .Skip((page - 1) * pageSize)
                                     .Take(pageSize)
-                                    .Where(x => x.IsOpen == false)
+                                    // .Where(x => x.IsOpen == false)
                                     .ToListAsync();
                 foreach (var data_open in data_opens)
                 {
diff --git a/BMA.EHR.Application/Repositories/Reports/CandidateReportRepository.cs b/BMA.EHR.Application/Repositories/Reports/CandidateReportRepository.cs
index bf82f92e..b6932574 100644
--- a/BMA.EHR.Application/Repositories/Reports/CandidateReportRepository.cs
+++ b/BMA.EHR.Application/Repositories/Reports/CandidateReportRepository.cs
@@ -88,38 +88,38 @@ namespace BMA.EHR.Application.Repositories.Reports
                         {
                             p.Id,
                             AvatarId = p.ProfileImg == null ? Guid.Parse("00000000-0000-0000-0000-000000000000") : p.ProfileImg.Id,
-                            ExamIdenNumber = p.ExamIdenNumber == null ? "-" : p.ExamIdenNumber,
-                            PositionName = p.PositionExam == null ? "-" : p.PositionExam.PositionName,
-                            PositionLevelName = p.PositionExam == null ? "-" : p.PositionExam.PositionLevelName,
-                            PeriodExamName = p.PeriodExam == null ? "-" : p.PeriodExam.Name,
-                            PeriodExamRound = p.PeriodExam == null ? "-" : p.PeriodExam.Round.ToString(),
-                            PeriodExamYear = p.PeriodExam == null ? "-" : (p.PeriodExam.Year + 543).ToString(),
+                            ExamIdenNumber = p.ExamIdenNumber == null ? "-" : p.ExamIdenNumber.ToThaiNumber(),
+                            PositionName = p.PositionExam == null ? "-" : p.PositionExam.PositionName.ToThaiNumber(),
+                            PositionLevelName = p.PositionExam == null ? "-" : p.PositionExam.PositionLevelName.ToThaiNumber(),
+                            PeriodExamName = p.PeriodExam == null ? "-" : p.PeriodExam.Name.ToThaiNumber(),
+                            PeriodExamRound = p.PeriodExam == null ? "-" : p.PeriodExam.Round.ToString().ToThaiNumber(),
+                            PeriodExamYear = p.PeriodExam == null ? "-" : (p.PeriodExam.Year + 543).ToString().ToThaiNumber(),
 
                             FullName = $"{p.PrefixName}{p.FirstName} {p.LastName}",
                             Religion = p.ReligionName == null ? "-" : p.ReligionName,
                             Nationality = p.Nationality == null ? "-" : p.Nationality,
-                            DateOfBirth = p.DateOfBirth == null ? "-" : p.DateOfBirth.Value.ToThaiFullDate2(),
-                            Age = p.DateOfBirth == null ? "-" : p.DateOfBirth.Value.CalculateAgeStrV2(0, 0),
-                            CitizenId = p.CitizenId == null ? "-" : p.CitizenId,
+                            DateOfBirth = p.DateOfBirth == null ? "-" : p.DateOfBirth.Value.ToThaiFullDate2().ToThaiNumber(),
+                            Age = p.DateOfBirth == null ? "-" : p.DateOfBirth.Value.CalculateAgeStrV2(0, 0).ToThaiNumber(),
+                            CitizenId = p.CitizenId == null ? "-" : p.CitizenId.ToThaiNumber(),
 
-                            EducationLevelExamName = p.Educations.FirstOrDefault() == null ? "-" : p.Educations.FirstOrDefault().EducationLevelExamName,
+                            EducationLevelExamName = p.Educations.FirstOrDefault() == null ? "-" : p.Educations.FirstOrDefault().EducationLevelExamName.ToThaiNumber(),
                             EducationName = p.Educations.FirstOrDefault() == null ? null : (p.Educations.FirstOrDefault().EducationLevelExamName == "ปริญญาตรี" || p.Educations.FirstOrDefault().EducationLevelExamName == "ปริญญาโท" || p.Educations.FirstOrDefault().EducationLevelExamName == "ปริญญาเอก" ? p.Educations.FirstOrDefault().EducationName : null),
-                            EducationMajor = p.Educations.FirstOrDefault() == null ? "-" : p.Educations.FirstOrDefault().EducationMajor,
+                            EducationMajor = p.Educations.FirstOrDefault() == null ? "-" : p.Educations.FirstOrDefault().EducationMajor.ToThaiNumber(),
                             EducationLocation = p.Educations.FirstOrDefault() == null ? "-" : p.Educations.FirstOrDefault().EducationLocation,
-                            EducationEndDate = p.Educations.FirstOrDefault() == null || p.Educations.FirstOrDefault().EducationEndDate == null ? "-" : p.Educations.FirstOrDefault().EducationEndDate.Value.ToThaiFullDate2(),
-                            EducationScores = p.Educations.FirstOrDefault() == null ? "-" : p.Educations.FirstOrDefault().EducationScores,
+                            EducationEndDate = p.Educations.FirstOrDefault() == null || p.Educations.FirstOrDefault().EducationEndDate == null ? "-" : p.Educations.FirstOrDefault().EducationEndDate.Value.ToThaiFullDate2().ToThaiNumber(),
+                            EducationScores = p.Educations.FirstOrDefault() == null ? "-" : p.Educations.FirstOrDefault().EducationScores.ToThaiNumber(),
                             EducationType = p.Educations.FirstOrDefault() == null ? "-" : p.Educations.FirstOrDefault().EducationType,
                             EducationLevelHighName = p.Educations.FirstOrDefault() == null ? "-" : p.Educations.FirstOrDefault().EducationLevelHighName,
 
                             OccupationPositionType = p.OccupationPositionType == "other" ? "ผู้ปฏิบัติงานอื่นในกรุงเทพมหานคร" : (p.OccupationPositionType == "temp" ? "ลูกจ้างชั่วคราว" : (p.OccupationPositionType == "prem" ? "ลูกจ้างประจำ" : "-")),
                             OccupationPosition = p.OccupationPosition == null ? "-" : p.OccupationPosition,
-                            OccupationSalary = p.OccupationSalary == null ? "-" : p.OccupationSalary.ToString(),
+                            OccupationSalary = p.OccupationSalary == null ? "-" : p.OccupationSalary.Value.ToString("N0").ToThaiNumber(),
                             OccupationGroup = p.OccupationGroup == null ? "-" : p.OccupationGroup,
                             OccupationPile = p.OccupationPile == null ? "-" : p.OccupationPile,
                             OccupationOrg = p.OccupationOrg == null ? "-" : p.OccupationOrg,
-                            OccupationTelephone = p.OccupationTelephone == null ? "-" : p.OccupationTelephone,
+                            OccupationTelephone = p.OccupationTelephone == null ? "-" : p.OccupationTelephone.ToThaiNumber(),
 
-                            CareersTotal = sb.ToString(),
+                            CareersTotal = sb.ToString().ToThaiNumber(),
                             // Careers = p.Careers.Select(y => new
                             // {
                             //     Position = y.Position,
@@ -129,24 +129,24 @@ namespace BMA.EHR.Application.Repositories.Reports
                             //     RangeDate = y.RangeDate,
                             // }).ToList(),
 
-                            RegistAddress = p.RegistAddress == null ? "-" : p.RegistAddress,
+                            RegistAddress = p.RegistAddress == null ? "-" : p.RegistAddress.ToThaiNumber(),
                             RegistProvinceName = p.RegistProvinceName == null ? "-" : p.RegistProvinceName,
                             RegistDistrictName = p.RegistDistrictName == null ? "-" : p.RegistDistrictName,
                             RegistSubDistrictName = p.RegistSubDistrictName == null ? "-" : p.RegistSubDistrictName,
-                            RegistZipCode = p.RegistZipCode == null ? "-" : p.RegistZipCode,
-                            CurrentAddress = p.CurrentAddress == null ? (p.RegistAddress == null ? "-" : p.RegistAddress) : p.CurrentAddress,
+                            RegistZipCode = p.RegistZipCode == null ? "-" : p.RegistZipCode.ToThaiNumber(),
+                            CurrentAddress = p.CurrentAddress == null ? (p.RegistAddress == null ? "-" : p.RegistAddress.ToThaiNumber()) : p.CurrentAddress.ToThaiNumber(),
                             CurrentProvinceName = p.CurrentProvinceName == null ? (p.RegistProvinceName == null ? "-" : p.RegistProvinceName) : p.CurrentProvinceName,
                             CurrentDistrictName = p.CurrentDistrictName == null ? (p.RegistDistrictName == null ? "-" : p.RegistDistrictName) : p.CurrentDistrictName,
                             CurrentSubDistrictName = p.CurrentSubDistrictName == null ? (p.RegistSubDistrictName == null ? "-" : p.RegistSubDistrictName) : p.CurrentSubDistrictName,
-                            CurrentZipCode = p.CurrentZipCode == null ? (p.RegistZipCode == null ? "-" : p.RegistZipCode) : p.CurrentZipCode,
-                            Telephone = p.Telephone == null ? "-" : p.Telephone,
+                            CurrentZipCode = p.CurrentZipCode == null ? (p.RegistZipCode == null ? "-" : p.RegistZipCode.ToThaiNumber()) : p.CurrentZipCode.ToThaiNumber(),
+                            Telephone = p.Telephone == null ? "-" : p.Telephone.ToThaiNumber(),
                             Email = p.Email == null ? "-" : p.Email,
 
                             ContactFullName = $"{p.ContactPrefixName}{p.ContactFirstname} {p.ContactLastname}",
                             ContactRelations = p.ContactRelations == null ? "-" : p.ContactRelations,
-                            ContactTel = p.ContactTel == null ? "-" : p.ContactTel,
+                            ContactTel = p.ContactTel == null ? "-" : p.ContactTel.ToThaiNumber(),
 
-                            RegisterDate = p.RegisterDate == null ? "-" : p.RegisterDate.Value.ToThaiFullDate(),
+                            RegisterDate = p.RegisterDate == null ? "-" : p.RegisterDate.Value.ToThaiFullDate().ToThaiNumber(),
                         })
                        .FirstOrDefaultAsync();
             if (data == null)
@@ -176,10 +176,10 @@ namespace BMA.EHR.Application.Repositories.Reports
                 {
                     Position = item.Position,
                     Type = item.Type,
-                    DurationStart = item.DurationStart,
-                    DurationEnd = item.DurationEnd,
-                    RangeDate = item.RangeDate,
-                    Index = retVal,
+                    DurationStart = item.DurationStart.ToThaiNumber(),
+                    DurationEnd = item.DurationEnd.ToThaiNumber(),
+                    RangeDate = item.RangeDate.ToThaiNumber(),
+                    Index = retVal.ToString().ToThaiNumber(),
                 };
                 data.Add(_data);
                 retVal++;
diff --git a/BMA.EHR.Discipline.Service/Controllers/DisciplineComplaintController.cs b/BMA.EHR.Discipline.Service/Controllers/DisciplineComplaintController.cs
index e8b878f7..97f01299 100644
--- a/BMA.EHR.Discipline.Service/Controllers/DisciplineComplaintController.cs
+++ b/BMA.EHR.Discipline.Service/Controllers/DisciplineComplaintController.cs
@@ -14,6 +14,7 @@ using System.Runtime.Serialization;
 using System.Security.Claims;
 using Newtonsoft.Json;
 using Newtonsoft.Json.Linq;
+using Microsoft.AspNetCore.Mvc.RazorPages;
 
 namespace BMA.EHR.DisciplineComplaint.Service.Controllers
 {
@@ -134,10 +135,32 @@ namespace BMA.EHR.DisciplineComplaint.Service.Controllers
         /// <response code="400">ค่าตัวแปรที่ส่งมาไม่ถูกต้อง</response>
         /// <response code="401">ไม่ได้ Login เข้าระบบ</response>
         /// <response code="500">เมื่อเกิดข้อผิดพลาดในการทำงาน</response>
-        [HttpGet("{id:guid}")]
-        public async Task<ActionResult<ResponseObject>> GetByDisciplineComplaint(Guid id)
+        [HttpGet("{page}/{id:guid}")]
+        public async Task<ActionResult<ResponseObject>> GetByDisciplineComplaint(string page,Guid id)
         {
-            var getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_DISCIPLINE_COMPLAIN");
+            page = page.Trim().ToUpper();
+            string getPermission;
+            if (page == "MAIN")
+            {
+                 getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_DISCIPLINE_COMPLAIN");
+            }
+            else if (page == "INVES")
+            {
+                 getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_DISCIPLINE_INVESTIGATE");
+            }
+            else if (page == "DISCIP")
+            {
+                 getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_DISCIPLINE_INTERROGATE");
+            }
+            else if (page == "RESULT")
+            {
+                 getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_DISCIPLINE_RESULT");
+            }
+            else
+            {
+                 getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_DISCIPLINE_COMPLAIN");
+            }
+            
             var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
             if (jsonData["status"]?.ToString() != "200")
             {
diff --git a/BMA.EHR.Discipline.Service/Controllers/DisciplineComplaint_ChannelController.cs b/BMA.EHR.Discipline.Service/Controllers/DisciplineComplaint_ChannelController.cs
index e1612970..572ca4c8 100644
--- a/BMA.EHR.Discipline.Service/Controllers/DisciplineComplaint_ChannelController.cs
+++ b/BMA.EHR.Discipline.Service/Controllers/DisciplineComplaint_ChannelController.cs
@@ -13,6 +13,7 @@ using Swashbuckle.AspNetCore.Annotations;
 using System.Security.Claims;
 using Newtonsoft.Json;
 using Newtonsoft.Json.Linq;
+using System.IO;
 
 namespace BMA.EHR.DisciplineComplaint_Channel.Service.Controllers
 {
@@ -57,10 +58,39 @@ namespace BMA.EHR.DisciplineComplaint_Channel.Service.Controllers
         /// <response code="400">ค่าตัวแปรที่ส่งมาไม่ถูกต้อง</response>
         /// <response code="401">ไม่ได้ Login เข้าระบบ</response>
         /// <response code="500">เมื่อเกิดข้อผิดพลาดในการทำงาน</response>
-        [HttpGet()]
-        public async Task<ActionResult<ResponseObject>> GetDiscipline(int page = 1, int pageSize = 25, string keyword = "")
+        [HttpGet("{path}")]
+        public async Task<ActionResult<ResponseObject>> GetDiscipline(string path, int page = 1, int pageSize = 25, string keyword = "")
         {
-            var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_DISCIPLINE_INFO");
+            path = path.Trim().ToUpper();
+            string getPermission;
+            if (path == "MAIN")
+            {
+                getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_DISCIPLINE_INFO");
+            }
+            else if (path == "COMPLAIN")
+            {
+                getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_DISCIPLINE_COMPLAIN");
+            }
+            else if (path == "CREATE-COMPLAIN")
+            {
+                getPermission = await _permission.GetPermissionAPIAsync("CREATE", "SYS_DISCIPLINE_COMPLAIN");
+            }
+            else if (path == "INVES")
+            {
+                getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_DISCIPLINE_INVESTIGATE");
+            }
+            else if (path == "DISCIP")
+            {
+                getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_DISCIPLINE_INTERROGATE");
+            }
+            else if (path == "RESULT")
+            {
+                getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_DISCIPLINE_RESULT");
+            }
+            else
+            {
+                getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_DISCIPLINE_INFO");
+            }
             var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
             if (jsonData["status"]?.ToString() != "200")
             {
diff --git a/BMA.EHR.Discipline.Service/Controllers/DisciplineDirectorController.cs b/BMA.EHR.Discipline.Service/Controllers/DisciplineDirectorController.cs
index cce9df20..7c081ced 100644
--- a/BMA.EHR.Discipline.Service/Controllers/DisciplineDirectorController.cs
+++ b/BMA.EHR.Discipline.Service/Controllers/DisciplineDirectorController.cs
@@ -13,6 +13,7 @@ using Swashbuckle.AspNetCore.Annotations;
 using System.Security.Claims;
 using Newtonsoft.Json;
 using Newtonsoft.Json.Linq;
+using System.IO;
 
 namespace BMA.EHR.DisciplineDirector.Service.Controllers
 {
@@ -57,10 +58,29 @@ namespace BMA.EHR.DisciplineDirector.Service.Controllers
         /// <response code="400">ค่าตัวแปรที่ส่งมาไม่ถูกต้อง</response>
         /// <response code="401">ไม่ได้ Login เข้าระบบ</response>
         /// <response code="500">เมื่อเกิดข้อผิดพลาดในการทำงาน</response>
-        [HttpGet()]
-        public async Task<ActionResult<ResponseObject>> GetDiscipline(int page = 1, int pageSize = 25, string keyword = "")
+        [HttpGet("{path}")]
+        public async Task<ActionResult<ResponseObject>> GetDiscipline(string path, int page = 1, int pageSize = 25, string keyword = "")
         {
-            var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_DISCIPLINE_INFO");
+            path = path.Trim().ToUpper();
+            string getPermission;
+            if (path == "MAIN")
+            {
+                getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_DISCIPLINE_INFO");
+            }
+            else if (path == "INVES")
+            {
+                getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_DISCIPLINE_INVESTIGATE");
+            }
+            else if (path == "DISCIP")
+            {
+                getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_DISCIPLINE_INTERROGATE");
+            }
+            else
+            {
+                getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_DISCIPLINE_INFO");
+            }
+
+           
             var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
             if (jsonData["status"]?.ToString() != "200")
             {
diff --git a/BMA.EHR.Discipline.Service/Controllers/DisciplineDisciplinaryController.cs b/BMA.EHR.Discipline.Service/Controllers/DisciplineDisciplinaryController.cs
index a4adf867..e748b392 100644
--- a/BMA.EHR.Discipline.Service/Controllers/DisciplineDisciplinaryController.cs
+++ b/BMA.EHR.Discipline.Service/Controllers/DisciplineDisciplinaryController.cs
@@ -13,6 +13,7 @@ using Swashbuckle.AspNetCore.Annotations;
 using System.Security.Claims;
 using Newtonsoft.Json;
 using Newtonsoft.Json.Linq;
+using Microsoft.AspNetCore.Mvc.RazorPages;
 
 namespace BMA.EHR.DisciplineDisciplinary.Service.Controllers
 {
@@ -407,10 +408,23 @@ namespace BMA.EHR.DisciplineDisciplinary.Service.Controllers
         /// <response code="400">ค่าตัวแปรที่ส่งมาไม่ถูกต้อง</response>
         /// <response code="401">ไม่ได้ Login เข้าระบบ</response>
         /// <response code="500">เมื่อเกิดข้อผิดพลาดในการทำงาน</response>
-        [HttpGet("{id:guid}")]
-        public async Task<ActionResult<ResponseObject>> GetByDisciplineDisciplinary(Guid id)
+        [HttpGet("{page}/{id:guid}")]
+        public async Task<ActionResult<ResponseObject>> GetByDisciplineDisciplinary(string page,Guid id)
         {
-            var getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_DISCIPLINE_INTERROGATE");
+            page = page.Trim().ToUpper();
+            string getPermission;
+            if (page == "MAIN")
+            {
+                getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_DISCIPLINE_INTERROGATE");
+            }
+            else if (page == "RESULT")
+            {
+                getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_DISCIPLINE_RESULT");
+            }
+            else
+            {
+                getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_DISCIPLINE_INTERROGATE");
+            }
             var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
             if (jsonData["status"]?.ToString() != "200")
             {
diff --git a/BMA.EHR.Discipline.Service/Controllers/DisciplineInvestigateController.cs b/BMA.EHR.Discipline.Service/Controllers/DisciplineInvestigateController.cs
index b3c89003..a6f338f0 100644
--- a/BMA.EHR.Discipline.Service/Controllers/DisciplineInvestigateController.cs
+++ b/BMA.EHR.Discipline.Service/Controllers/DisciplineInvestigateController.cs
@@ -13,6 +13,7 @@ using Swashbuckle.AspNetCore.Annotations;
 using System.Security.Claims;
 using Newtonsoft.Json;
 using Newtonsoft.Json.Linq;
+using Microsoft.AspNetCore.Mvc.RazorPages;
 
 namespace BMA.EHR.DisciplineInvestigate.Service.Controllers
 {
@@ -246,10 +247,28 @@ namespace BMA.EHR.DisciplineInvestigate.Service.Controllers
         /// <response code="400">ค่าตัวแปรที่ส่งมาไม่ถูกต้อง</response>
         /// <response code="401">ไม่ได้ Login เข้าระบบ</response>
         /// <response code="500">เมื่อเกิดข้อผิดพลาดในการทำงาน</response>
-        [HttpGet("{id:guid}")]
-        public async Task<ActionResult<ResponseObject>> GetByDisciplineInvestigate(Guid id)
+        [HttpGet("{page}/{id:guid}")]
+        public async Task<ActionResult<ResponseObject>> GetByDisciplineInvestigate(string page,Guid id)
         {
-            var getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_DISCIPLINE_INVESTIGATE");
+            page = page.Trim().ToUpper();
+            string getPermission;
+            if (page == "MAIN")
+            {
+                getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_DISCIPLINE_INVESTIGATE");
+            }
+            else if (page == "DISCIP")
+            {
+                getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_DISCIPLINE_INTERROGATE");
+            }
+            else if (page == "RESULT")
+            {
+                getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_DISCIPLINE_RESULT");
+            }
+            else
+            {
+                getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_DISCIPLINE_INVESTIGATE");
+            }
+            
             var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
             if (jsonData["status"]?.ToString() != "200")
             {
diff --git a/BMA.EHR.Insignia/Controllers/InsigniaManageController.cs b/BMA.EHR.Insignia/Controllers/InsigniaManageController.cs
index 4f0e12fd..0ba106a5 100644
--- a/BMA.EHR.Insignia/Controllers/InsigniaManageController.cs
+++ b/BMA.EHR.Insignia/Controllers/InsigniaManageController.cs
@@ -11,6 +11,7 @@ using Microsoft.AspNetCore.Mvc;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.EntityFrameworkCore.Storage.ValueConversion.Internal;
 using Newtonsoft.Json;
+using Newtonsoft.Json.Linq;
 using OfficeOpenXml.Export.ToDataTable;
 using Swashbuckle.AspNetCore.Annotations;
 
@@ -30,13 +31,14 @@ namespace BMA.EHR.Insignia.Service.Controllers
         private readonly InsigniaPeriodsRepository _repository;
         private readonly NotificationRepository _repositoryNoti;
         private readonly UserProfileRepository _userProfileRepository;
-
+        private readonly PermissionRepository _permission;
         public InsigniaManageController(ApplicationDBContext context,
                                    MinIOService documentService,
                                    InsigniaPeriodsRepository repository,
                                    NotificationRepository repositoryNoti,
                                    IHttpContextAccessor httpContextAccessor,
-                                   UserProfileRepository userProfileRepository)
+                                   UserProfileRepository userProfileRepository,
+                                   PermissionRepository permission)
         {
             _context = context;
             _documentService = documentService;
@@ -44,6 +46,7 @@ namespace BMA.EHR.Insignia.Service.Controllers
             _repositoryNoti = repositoryNoti;
             _httpContextAccessor = httpContextAccessor;
             _userProfileRepository = userProfileRepository;
+            _permission = permission;
         }
 
         #region " Properties "
@@ -69,6 +72,12 @@ namespace BMA.EHR.Insignia.Service.Controllers
         [HttpGet("type/{year}/{insigniaTypeId:length(36)}")]
         public async Task<ActionResult<ResponseObject>> GetList(int year, Guid insigniaTypeId)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_INSIGNIA_ALLOCATE");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var insigniaType = await _context.InsigniaTypes
                                     .FirstOrDefaultAsync(x => x.Id == insigniaTypeId);
             if (insigniaType == null)
@@ -135,6 +144,12 @@ namespace BMA.EHR.Insignia.Service.Controllers
         [HttpPost()]
         public async Task<ActionResult<ResponseObject>> Post([FromBody] InsigniaManageRequest req)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("CREATE", "SYS_INSIGNIA_ALLOCATE");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var insignia = await _context.Insignias.AsQueryable()
                             .FirstOrDefaultAsync(x => x.Id == req.Insignia);
             if (insignia == null)
@@ -176,6 +191,12 @@ namespace BMA.EHR.Insignia.Service.Controllers
         [HttpDelete("{insigniaManageId:length(36)}")]
         public async Task<ActionResult<ResponseObject>> Delete(Guid insigniaManageId)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("DELETE", "SYS_INSIGNIA_ALLOCATE");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var deleted = await _context.InsigniaManages.AsQueryable()
                         .Where(x => x.Id == insigniaManageId)
                         .FirstOrDefaultAsync();
@@ -200,6 +221,12 @@ namespace BMA.EHR.Insignia.Service.Controllers
         [HttpPut("{insigniaManageId:length(36)}")]
         public async Task<ActionResult<ResponseObject>> Put([FromBody] InsigniaManageRequest req, Guid insigniaManageId)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("UPDATE", "SYS_INSIGNIA_ALLOCATE");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var insignia = await _context.Insignias.AsQueryable()
                             .FirstOrDefaultAsync(x => x.Id == req.Insignia);
             if (insignia == null)
@@ -241,6 +268,12 @@ namespace BMA.EHR.Insignia.Service.Controllers
         [HttpGet("org/{insigniaManageId:length(36)}")]
         public async Task<ActionResult<ResponseObject>> GetListOrganization(Guid insigniaManageId)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_INSIGNIA_ALLOCATE");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var insigniaManage = await _context.InsigniaManages.AsQueryable()
                         .FirstOrDefaultAsync(x => x.Id == insigniaManageId);
             if (insigniaManage == null)
@@ -274,6 +307,12 @@ namespace BMA.EHR.Insignia.Service.Controllers
         [HttpPost("org")]
         public async Task<ActionResult<ResponseObject>> PostOrganization([FromBody] InsigniaManageOrganizationRequest req)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("UPDATE", "SYS_INSIGNIA_ALLOCATE");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
 
             var organization = _userProfileRepository.GetOc(req.OrganizationOrganizationId, 0, AccessToken);
 
@@ -331,6 +370,13 @@ namespace BMA.EHR.Insignia.Service.Controllers
         [HttpDelete("org/{insigniaManageOrgId:length(36)}")]
         public async Task<ActionResult<ResponseObject>> DeleteOrganization(Guid insigniaManageOrgId)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("UPDATE", "SYS_INSIGNIA_ALLOCATE");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
+
             var deleted = await _context.InsigniaManageOrganiations.AsQueryable()
                         .FirstOrDefaultAsync(x => x.Id == insigniaManageOrgId);
 
@@ -353,6 +399,12 @@ namespace BMA.EHR.Insignia.Service.Controllers
         [HttpPut("org/{insigniaManageOrgId:length(36)}")]
         public async Task<ActionResult<ResponseObject>> PutOrganization([FromBody] InsigniaManageOrganizationUpdateRequest req, Guid insigniaManageOrgId)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("UPDATE", "SYS_INSIGNIA_ALLOCATE");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var uppdated = await _context.InsigniaManageOrganiations.AsQueryable()
                             //.Include(x => x.OrganizationOrganization)
                             .Include(x => x.InsigniaManage)
@@ -392,6 +444,12 @@ namespace BMA.EHR.Insignia.Service.Controllers
         [HttpGet("org/dashboard/{insigniaManageId:length(36)}")]
         public async Task<ActionResult<ResponseObject>> GetListDashboardOrganization(Guid insigniaManageId)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_INSIGNIA_ALLOCATE");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var insigniaManage = await _context.InsigniaManages.AsQueryable()
                         .Include(x => x.InsigniaManageOrganiations)
                         .Select(p => new
@@ -424,7 +482,12 @@ namespace BMA.EHR.Insignia.Service.Controllers
         [HttpPost("borrow")]
         public async Task<ActionResult<ResponseObject>> PostBorrowInsignia([FromBody] InsigniaBorrowRequest req)
         {
-
+            var getPermission = await _permission.GetPermissionAPIAsync("CREATE", "SYS_INSIGNIA_BORROW");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var insigniaNoteProfile = await _context.InsigniaNoteProfiles.AsQueryable()
                             .Include(x => x.RequestInsignia)
                             .Include(x => x.InsigniaNote)
@@ -503,7 +566,12 @@ namespace BMA.EHR.Insignia.Service.Controllers
         [HttpPut("return/{insigniaManageProfileId:length(36)}")]
         public async Task<ActionResult<ResponseObject>> PutReturnInsignia([FromBody] InsigniaReturnRequest req, Guid insigniaManageProfileId)
         {
-
+            var getPermission = await _permission.GetPermissionAPIAsync("UPDATE", "SYS_INSIGNIA_BORROW");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var uppdated = await _context.InsigniaManageProfiles.AsQueryable()
                             //.Include(x => x.BorrowOrganization)
                             .FirstOrDefaultAsync(x => x.Id == insigniaManageProfileId);
@@ -548,6 +616,12 @@ namespace BMA.EHR.Insignia.Service.Controllers
         [HttpGet("borrow/{year}/{insigniaTypeId:length(36)}")]
         public async Task<ActionResult<ResponseObject>> ListBorrowReturnInsignia(int year, Guid insigniaTypeId)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_INSIGNIA_BORROW");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var insigniaType = await _context.InsigniaTypes
                                     .FirstOrDefaultAsync(x => x.Id == insigniaTypeId);
             if (insigniaType == null)
diff --git a/BMA.EHR.Insignia/Controllers/InsigniaPeriodController.cs b/BMA.EHR.Insignia/Controllers/InsigniaPeriodController.cs
index cc8868e8..3a9f3c6d 100644
--- a/BMA.EHR.Insignia/Controllers/InsigniaPeriodController.cs
+++ b/BMA.EHR.Insignia/Controllers/InsigniaPeriodController.cs
@@ -9,6 +9,8 @@ using BMA.EHR.Infrastructure.Persistence;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.EntityFrameworkCore;
+using Newtonsoft.Json.Linq;
+using Newtonsoft.Json;
 using Swashbuckle.AspNetCore.Annotations;
 
 namespace BMA.EHR.Insignia.Service.Controllers
@@ -27,13 +29,14 @@ namespace BMA.EHR.Insignia.Service.Controllers
         private readonly InsigniaPeriodsRepository _repository;
         private readonly NotificationRepository _repositoryNoti;
         private readonly UserProfileRepository _userProfileRepository;
-
+        private readonly PermissionRepository _permission;
         public InsigniaPeriodController(ApplicationDBContext context,
                                    MinIOService documentService,
                                    InsigniaPeriodsRepository repository,
                                    NotificationRepository repositoryNoti,
                                    IHttpContextAccessor httpContextAccessor,
-                                   UserProfileRepository userProfileRepository)
+                                   UserProfileRepository userProfileRepository,
+                                   PermissionRepository permission)
         {
             _context = context;
             _documentService = documentService;
@@ -41,6 +44,7 @@ namespace BMA.EHR.Insignia.Service.Controllers
             _repositoryNoti = repositoryNoti;
             _httpContextAccessor = httpContextAccessor;
             _userProfileRepository = userProfileRepository;
+            _permission = permission;
         }
 
         #region " Properties "
@@ -62,8 +66,31 @@ namespace BMA.EHR.Insignia.Service.Controllers
         /// <response code="401">ไม่ได้ Login เข้าระบบ</response>
         /// <response code="500">เมื่อเกิดข้อผิดพลาดในการทำงาน</response>
         [HttpGet()]
-        public async Task<ActionResult<ResponseObject>> GetList()
+        public async Task<ActionResult<ResponseObject>> GetList(string path)
         {
+            path = path.Trim().ToUpper();
+            string getPermission = string.Empty;
+            if (path == "ROUND")
+            {
+                getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_INSIGNIA_ROUND");
+            }
+            else if (path == "MANAGE")
+            {
+                getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_INSIGNIA_MANAGE");
+            }
+            else if (path == "REPORT")
+            {
+                getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_INSIGNIA_REPORT");
+            }
+            else
+            {
+                getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_INSIGNIA_ROUND");
+            }
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var insigniaPeriods = await _context.InsigniaPeriods.AsQueryable()
                         // .Where(x => x.Type == type)
                         .OrderByDescending(x => x.Year)
@@ -80,6 +107,7 @@ namespace BMA.EHR.Insignia.Service.Controllers
                             period_year = p.Year,
                             period_isActive = p.IsActive,
                             period_doc = p.ReliefDoc == null ? Guid.Parse("00000000-0000-0000-0000-000000000000") : p.ReliefDoc.Id,
+                            period_revision = p.RevisionId,
                         })
                         .ToListAsync();
             var data = new List<dynamic>();
@@ -97,6 +125,7 @@ namespace BMA.EHR.Insignia.Service.Controllers
                     period_year = insigniaPeriod.period_year,
                     period_isActive = insigniaPeriod.period_isActive,
                     period_doc = insigniaPeriod.period_doc == Guid.Parse("00000000-0000-0000-0000-000000000000") ? null : await _documentService.ImagesPath(insigniaPeriod.period_doc),
+                    period_revision = insigniaPeriod.period_revision,
                 };
                 data.Add(_data);
             }
@@ -116,6 +145,12 @@ namespace BMA.EHR.Insignia.Service.Controllers
         [HttpGet("{id:length(36)}")]
         public async Task<ActionResult<ResponseObject>> GetById(Guid id)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_INSIGNIA_ROUND");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var data = await _context.InsigniaPeriods.AsQueryable()
                         .Where(x => x.Id == id)
                         .Select(p => new
@@ -170,6 +205,12 @@ namespace BMA.EHR.Insignia.Service.Controllers
         [HttpPost()]
         public async Task<ActionResult<ResponseObject>> Post([FromForm] InsigniaPeriodRequest req)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("CREATE", "SYS_INSIGNIA_ROUND");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var revisionId = await _userProfileRepository.GetLastRevision(AccessToken);
 
             var insigniaPeriod = await _context.InsigniaPeriods.AsQueryable()
@@ -225,6 +266,12 @@ namespace BMA.EHR.Insignia.Service.Controllers
         [HttpDelete("{id:length(36)}")]
         public async Task<ActionResult<ResponseObject>> Delete(Guid id)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("DELETE", "SYS_INSIGNIA_ROUND");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var deleted = await _context.InsigniaPeriods.AsQueryable()
                             .Include(x => x.ReliefDoc)
                             .FirstOrDefaultAsync(x => x.Id == id);
@@ -258,6 +305,12 @@ namespace BMA.EHR.Insignia.Service.Controllers
         [HttpPut("{id:length(36)}")]
         public async Task<ActionResult<ResponseObject>> Put([FromForm] InsigniaPeriodRequest req, Guid id)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("UPDATE", "SYS_INSIGNIA_ROUND");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             if (req == null)
                 return BadRequest();
 
diff --git a/BMA.EHR.Insignia/Controllers/InsigniaRequestController.cs b/BMA.EHR.Insignia/Controllers/InsigniaRequestController.cs
index 56eaf696..8096bb67 100644
--- a/BMA.EHR.Insignia/Controllers/InsigniaRequestController.cs
+++ b/BMA.EHR.Insignia/Controllers/InsigniaRequestController.cs
@@ -15,6 +15,7 @@ using Microsoft.AspNetCore.Mvc;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.EntityFrameworkCore.Metadata.Internal;
 using Newtonsoft.Json;
+using Newtonsoft.Json.Linq;
 using OfficeOpenXml;
 using RabbitMQ.Client;
 using Swashbuckle.AspNetCore.Annotations;
@@ -43,7 +44,7 @@ namespace BMA.EHR.Insignia.Service.Controllers
 
         private readonly InsigniaPeriodsRepository _insigniaPeriodRepository;
         private readonly IConfiguration _configuration;
-
+        private readonly PermissionRepository _permission;
         /// <summary>
         /// 
         /// </summary>
@@ -64,7 +65,8 @@ namespace BMA.EHR.Insignia.Service.Controllers
                                    IHttpContextAccessor httpContextAccessor,
                                    UserProfileRepository userProfileRepository,
                                    InsigniaPeriodsRepository insigniaPeriodRepository,
-                                   IConfiguration configuration)
+                                   IConfiguration configuration,
+                                   PermissionRepository permission)
         {
             _context = context;
             _documentService = documentService;
@@ -75,6 +77,7 @@ namespace BMA.EHR.Insignia.Service.Controllers
             _userProfileRepository = userProfileRepository;
             _insigniaPeriodRepository = insigniaPeriodRepository;
             _configuration = configuration;
+            _permission = permission;
         }
 
         #region " Properties "
@@ -343,6 +346,12 @@ namespace BMA.EHR.Insignia.Service.Controllers
         [HttpGet("{insigniaPeriodId:length(36)}/{ocId:length(36)}/{role}/{status}")]
         public async Task<ActionResult<ResponseObject>> GetInsignaiRequestBkk(Guid insigniaPeriodId, Guid ocId, string role, string status)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_INSIGNIA_MANAGE");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var result = await _repository.GetInsigniaRequest(insigniaPeriodId, ocId);
             if (result != null)
             {
@@ -947,6 +956,12 @@ namespace BMA.EHR.Insignia.Service.Controllers
         [HttpGet("dashboard/{insigniaPeriodId:length(36)}")]
         public async Task<ActionResult<ResponseObject>> DashboardInsigniaPeriod(Guid insigniaPeriodId)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_INSIGNIA_MANAGE");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var insigniaPeriod = await _context.InsigniaPeriods.FirstOrDefaultAsync(x => x.Id == insigniaPeriodId);
             if (insigniaPeriod == null)
                 return Error(GlobalMessages.InsigniaRequestNotFound);
@@ -974,6 +989,12 @@ namespace BMA.EHR.Insignia.Service.Controllers
         [HttpGet("org/no-send/{insigniaPeriodId:length(36)}")]
         public async Task<ActionResult<ResponseObject>> ListOrgDontSentUser(Guid insigniaPeriodId)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_INSIGNIA_MANAGE");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var insigniaPeriod = await _context.InsigniaPeriods.FirstOrDefaultAsync(x => x.Id == insigniaPeriodId);
             if (insigniaPeriod == null)
                 return Error(GlobalMessages.InsigniaRequestNotFound);
@@ -1333,8 +1354,31 @@ namespace BMA.EHR.Insignia.Service.Controllers
         /// <response code="401">ไม่ได้ Login เข้าระบบ</response>
         /// <response code="500">เมื่อเกิดข้อผิดพลาดในการทำงาน</response>
         [HttpGet("note")]
-        public async Task<ActionResult<ResponseObject>> GetListNote()
+        public async Task<ActionResult<ResponseObject>> GetListNote(string path)
         {
+            path = path.Trim().ToUpper();
+            string getPermission = string.Empty;
+            if (path == "RECORD")
+            {
+                getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_INSIGNIA_RECORD");
+            }
+            else if (path == "ALLOCATE")
+            {
+                getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_INSIGNIA_ALLOCATE");
+            }
+            else if (path == "BORROW")
+            {
+                getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_INSIGNIA_BORROW");
+            }
+            else
+            {
+                getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_INSIGNIA_RECORD");
+            }
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var insigniaNotes = await _context.InsigniaNotes.AsQueryable()
                         .OrderByDescending(x => x.Year)
                         // .ThenByDescending(x => x.StartDate)
@@ -1381,6 +1425,12 @@ namespace BMA.EHR.Insignia.Service.Controllers
         [HttpPost("note/search")]
         public async Task<ActionResult<ResponseObject>> GetListNoteProfile([FromBody] InsigniaNoteSearchRequest req)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_INSIGNIA_RECORD");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var insigniaNote = await _context.InsigniaNotes
                                     .FirstOrDefaultAsync(x => x.Id == req.InsigniaNoteId);
             if (insigniaNote == null)
@@ -1544,6 +1594,148 @@ namespace BMA.EHR.Insignia.Service.Controllers
 
             return Success(_insigniaNoteProfiles);
         }
+        
+        /// <summary>
+        /// list รายชื่อบันทึกผลการได้รับพระราชทานเครื่องราชอิสริยสภรณ์/การจ่ายใบกำกับ ไม่ validate สิทธิ์
+        /// </summary>
+        /// <returns></returns>
+        /// <response code="200"></response>
+        /// <response code="400">ค่าตัวแปรที่ส่งมาไม่ถูกต้อง</response>
+        /// <response code="401">ไม่ได้ Login เข้าระบบ</response>
+        /// <response code="500">เมื่อเกิดข้อผิดพลาดในการทำงาน</response>
+        [HttpPost("note-list/search")]
+        public async Task<ActionResult<ResponseObject>> GetListNoteProfileNonValidateRole([FromBody] InsigniaNoteSearchRequest req)
+        {
+            var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_INSIGNIA_RECORD");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
+            var insigniaNote = await _context.InsigniaNotes
+                                    .FirstOrDefaultAsync(x => x.Id == req.InsigniaNoteId);
+            if (insigniaNote == null)
+                return Error(GlobalMessages.InsigniaRequestNotFound);
+            var insigniaType = await _context.InsigniaTypes
+                                    .FirstOrDefaultAsync(x => x.Id == req.InsigniaTypeId);
+            if (insigniaType == null)
+                return Error(GlobalMessages.InsigniaTypeNotFound);
+
+            var rawNoteProfiles = await _context.InsigniaNoteProfiles
+                                        .Where(x => x.InsigniaNote == insigniaNote)
+                                        .Where(x => x.RequestInsignia.InsigniaType == insigniaType)
+                                        .Where(x => req.InsigniaId == null ? x.RequestInsignia != null : (x.RequestInsignia.Id == req.InsigniaId))
+                                        .Select(x => new
+                                        {
+                                            Id = x.Id,
+                                            Profile = _userProfileRepository.GetOfficerProfileById(x.ProfileId.Value, AccessToken),
+                                            OcId = Guid.Parse("e8493cd1-d371-402e-add6-566e68d5d1b3"), // TODO: ต้องมาแก้ไข
+                                            RequestInsignia = x.RequestInsignia.Name,
+                                            RequestInsigniaId = x.RequestInsignia.Id,
+                                            RequestInsigniaShortName = x.RequestInsignia.ShortName,
+                                            DateReceive = x.DateReceive,
+                                            OrganizationOrganizationSend = _userProfileRepository.GetOc(Guid.Parse("e8493cd1-d371-402e-add6-566e68d5d1b3"), 0, AccessToken).Root, //hardcode
+                                            OrganizationOrganizationReceive = _userProfileRepository.GetOc(Guid.Parse("e8493cd1-d371-402e-add6-566e68d5d1b3"), 0, AccessToken).Root, //hardcode
+                                            Status = x.Status,
+                                            Issue = x.Issue,
+                                            Date = x.Date,
+                                            VolumeNo = x.VolumeNo,
+                                            Section = x.Section,
+                                            Page = x.Page,
+                                            No = x.No,
+                                            DatePayment = x.DatePayment,
+                                            TypePayment = x.TypePayment,
+                                            Address = x.Address,
+                                            Number = x.Number,
+                                            Salary = x.Salary,
+                                            DateReceiveInsignia = x.DateReceiveInsignia,
+                                            DocReceiveInsignia = x.DocReceiveInsignia == null ? Guid.Parse("00000000-0000-0000-0000-000000000000") : x.DocReceiveInsignia.Id,
+                                            OrgReceiveInsignia = _userProfileRepository.GetOc(Guid.Parse("e8493cd1-d371-402e-add6-566e68d5d1b3"), 0, AccessToken).Root, //hardcode
+                                            DateReturnInsignia = x.DateReturnInsignia,
+                                            DocReturnInsignia = x.DocReturnInsignia == null ? Guid.Parse("00000000-0000-0000-0000-000000000000") : x.DocReturnInsignia.Id,
+                                            OrgReturnInsignia = _userProfileRepository.GetOc(Guid.Parse("e8493cd1-d371-402e-add6-566e68d5d1b3"), 0, AccessToken).Root, //hardcode
+                                        })
+                                        .ToListAsync();
+
+            var insigniaNoteProfiles = rawNoteProfiles
+                                       .Select(x => new
+                                       {
+                                           Id = x.Id,
+                                           Prefix = x.Profile == null ? "" : x.Profile.Prefix,
+                                           Position = x.Profile == null ? "" : x.Profile.Position,
+                                           ProfileType = x.Profile == null ? "" : x.Profile.ProfileType,
+                                           x.OcId,
+                                           CitizenId = x.Profile == null ? "" : x.Profile.CitizenId,
+                                           FullName = x.Profile == null ? "" : $"{x.Profile.Prefix}{x.Profile.FirstName} {x.Profile.LastName}",
+                                           RequestInsignia = x.RequestInsignia,
+                                           RequestInsigniaId = x.RequestInsigniaId,
+                                           RequestInsigniaShortName = x.RequestInsigniaShortName,
+                                           DateReceive = x.DateReceive,
+                                           OrganizationOrganizationSend = x.OrganizationOrganizationSend,
+                                           OrganizationOrganizationReceive = x.OrganizationOrganizationReceive,
+                                           Status = x.Status,
+                                           Issue = x.Issue,
+                                           Date = x.Date,
+                                           VolumeNo = x.VolumeNo,
+                                           Section = x.Section,
+                                           Page = x.Page,
+                                           No = x.No,
+                                           DatePayment = x.DatePayment,
+                                           TypePayment = x.TypePayment,
+                                           Address = x.Address,
+                                           Number = x.Number,
+                                           Salary = x.Salary,
+                                           DateReceiveInsignia = x.DateReceiveInsignia,
+                                           DocReceiveInsignia = x.DocReceiveInsignia,
+                                           OrgReceiveInsignia = x.OrgReceiveInsignia,
+                                           DateReturnInsignia = x.DateReturnInsignia,
+                                           DocReturnInsignia = x.DocReturnInsignia,
+                                           OrgReturnInsignia = x.OrgReturnInsignia,
+                                       })
+                                       .ToList();
+
+            var _insigniaNoteProfiles = new List<dynamic>();
+            foreach (var insigniaNoteProfile in insigniaNoteProfiles)
+            {
+                _insigniaNoteProfiles.Add(
+                    new
+                    {
+                        insigniaNoteProfile.Id,
+                        insigniaNoteProfile.Prefix,
+                        insigniaNoteProfile.Position,
+                        insigniaNoteProfile.CitizenId,
+                        insigniaNoteProfile.ProfileType,
+                        insigniaNoteProfile.FullName,
+                        insigniaNoteProfile.RequestInsignia,
+                        insigniaNoteProfile.RequestInsigniaId,
+                        insigniaNoteProfile.RequestInsigniaShortName,
+                        insigniaNoteProfile.DateReceive,
+                        insigniaNoteProfile.OrganizationOrganizationSend,
+                        insigniaNoteProfile.OrganizationOrganizationReceive,
+                        insigniaNoteProfile.Status,
+                        insigniaNoteProfile.Issue,
+                        insigniaNoteProfile.Date,
+                        insigniaNoteProfile.VolumeNo,
+                        insigniaNoteProfile.Section,
+                        insigniaNoteProfile.Page,
+                        insigniaNoteProfile.No,
+                        insigniaNoteProfile.DatePayment,
+                        insigniaNoteProfile.TypePayment,
+                        insigniaNoteProfile.Address,
+                        insigniaNoteProfile.Number,
+                        insigniaNoteProfile.Salary,
+                        insigniaNoteProfile.DateReceiveInsignia,
+                        DocReceiveInsignia = insigniaNoteProfile.DocReceiveInsignia == Guid.Parse("00000000-0000-0000-0000-000000000000") ? null : await _documentService.ImagesPath(insigniaNoteProfile.DocReceiveInsignia),
+                        insigniaNoteProfile.OrgReceiveInsignia,
+                        insigniaNoteProfile.DateReturnInsignia,
+                        DocReturnInsignia = insigniaNoteProfile.DocReturnInsignia == Guid.Parse("00000000-0000-0000-0000-000000000000") ? null : await _documentService.ImagesPath(insigniaNoteProfile.DocReturnInsignia),
+                        insigniaNoteProfile.OrgReturnInsignia,
+                    }
+                );
+            }
+
+            return Success(_insigniaNoteProfiles);
+        }
 
         /// <summary>
         /// Get รายชื่อบันทึกผลการได้รับพระราชทานเครื่องราชอิสริยสภรณ์/การจ่ายใบกำกับ
@@ -1821,6 +2013,12 @@ namespace BMA.EHR.Insignia.Service.Controllers
         [HttpPut("note/doc/{insigniaNoteId:length(36)}")]
         public async Task<ActionResult<ResponseObject>> AddDocumentProfile([FromForm] InsigniaNoteDocRequest req, Guid insigniaNoteId)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("UPDATE", "SYS_INSIGNIA_RECORD");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var insigniaNote = await _context.InsigniaNotes
                                     .FirstOrDefaultAsync(x => x.Id == insigniaNoteId);
             if (insigniaNote == null)
@@ -1869,6 +2067,12 @@ namespace BMA.EHR.Insignia.Service.Controllers
         [HttpGet("note/doc/{insigniaNoteId:length(36)}")]
         public async Task<ActionResult<ResponseObject>> GetDocumentProfile(Guid insigniaNoteId)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_INSIGNIA_RECORD");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var insigniaNote = await _context.InsigniaNotes
                                     .Include(x => x.InsigniaNoteDocs)
                                     .ThenInclude(x => x.Document)
@@ -2078,6 +2282,12 @@ namespace BMA.EHR.Insignia.Service.Controllers
         [HttpPut("preview/receice/{insigniaNoteId:length(36)}"), DisableRequestSizeLimit]
         public async Task<ActionResult<ResponseObject>> PreviewReceiceProfile([FromForm] ImportFileRequest req, Guid insigniaNoteId)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("UPDATE", "SYS_INSIGNIA_RECORD");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var insigniaNote = await _context.InsigniaNotes
                                     .Include(x => x.InsigniaNoteProfiles)
                                     //.ThenInclude(x => x.Profile)
@@ -2204,6 +2414,12 @@ namespace BMA.EHR.Insignia.Service.Controllers
         [HttpPut("preview/invoice/{insigniaNoteId:length(36)}"), DisableRequestSizeLimit]
         public async Task<ActionResult<ResponseObject>> PreviewInvoiceProfile([FromForm] ImportFileRequest req, Guid insigniaNoteId)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("UPDATE", "SYS_INSIGNIA_RECORD");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var insigniaNote = await _context.InsigniaNotes
                                     .Include(x => x.InsigniaNoteProfiles)
                                     //.ThenInclude(x => x.Profile)
diff --git a/BMA.EHR.Leave/Controllers/LeaveController.cs b/BMA.EHR.Leave/Controllers/LeaveController.cs
index 55493a74..6cbc93e6 100644
--- a/BMA.EHR.Leave/Controllers/LeaveController.cs
+++ b/BMA.EHR.Leave/Controllers/LeaveController.cs
@@ -17,6 +17,7 @@ using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Extensions.ObjectPool;
 using Newtonsoft.Json;
+using Newtonsoft.Json.Linq;
 using RabbitMQ.Client;
 using Swashbuckle.AspNetCore.Annotations;
 using System.ComponentModel.DataAnnotations;
@@ -48,8 +49,8 @@ namespace BMA.EHR.Leave.Service.Controllers
         private readonly UserDutyTimeRepository _userDutyTimeRepository;
         private readonly AdditionalCheckRequestRepository _additionalCheckRequestRepository;
         private readonly LeaveRequestRepository _leaveRequestRepository;
-
         private readonly UserCalendarRepository _userCalendarRepository;
+        private readonly PermissionRepository _permission;
 
         private readonly CommandRepository _commandRepository;
 
@@ -77,7 +78,8 @@ namespace BMA.EHR.Leave.Service.Controllers
                                 UserCalendarRepository userCalendarRepository,
                                 CommandRepository commandRepository,
                                 LeaveRequestRepository leaveRequestRepository,
-                                ObjectPool<IModel> objectPool)
+                                ObjectPool<IModel> objectPool,
+                                PermissionRepository permission)
         {
             _dutyTimeRepository = dutyTimeRepository;
             _context = context;
@@ -95,6 +97,7 @@ namespace BMA.EHR.Leave.Service.Controllers
             _leaveRequestRepository = leaveRequestRepository;
 
             _objectPool = objectPool;
+            _permission = permission;
         }
 
         #endregion
@@ -140,6 +143,12 @@ namespace BMA.EHR.Leave.Service.Controllers
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
         public async Task<ActionResult<ResponseObject>> GetAllAsync()
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_WORK_ROUND");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var data = await _dutyTimeRepository.GetAllAsync();
 
             return Success(data);
@@ -178,6 +187,13 @@ namespace BMA.EHR.Leave.Service.Controllers
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
         public async Task<ActionResult<ResponseObject>> PostAsync([FromBody] CreateDutyTimeDto data)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("CREATE", "SYS_WORK_ROUND");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
+
             // validate
             var startMorning = TimeOnly.Parse(data.StartTimeMorning);
             var endMorning = TimeOnly.Parse(data.EndTimeMorning);
@@ -257,6 +273,13 @@ namespace BMA.EHR.Leave.Service.Controllers
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
         public async Task<ActionResult<ResponseObject>> PutAsync(Guid id, [FromBody] UpdateDutyTimeDto data)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("UPDATE", "SYS_WORK_ROUND");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
+
             var oldData = await _dutyTimeRepository.GetByIdAsync(id);
             if (oldData == null)
             {
@@ -300,6 +323,13 @@ namespace BMA.EHR.Leave.Service.Controllers
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
         public async Task<ActionResult<ResponseObject>> DeleteAsync(Guid id)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("DELETE", "SYS_WORK_ROUND");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
+
             var oldData = await _dutyTimeRepository.GetByIdAsync(id);
             if (oldData == null)
             {
@@ -339,6 +369,12 @@ namespace BMA.EHR.Leave.Service.Controllers
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
         public async Task<ActionResult<ResponseObject>> GetAllActiveAsync()
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_WORK_ROUND_EDIT");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var data = await _dutyTimeRepository.GetAllActiveAsync();
 
             return Success(data);
@@ -979,6 +1015,13 @@ namespace BMA.EHR.Leave.Service.Controllers
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
         public async Task<ActionResult<ResponseObject>> LogRecordAsync([Required] DateTime startDate, [Required] DateTime endDate, int page = 1, int pageSize = 10, string keyword = "")
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_CHECKIN");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
+
             if (startDate.Date > endDate.Date)
             {
                 return Error(new Exception("วันเริ่มต้นต้องมีค่าน้อยกว่าหรือเท่ากับวันสิ้นสุด"), StatusCodes.Status400BadRequest);
@@ -1047,8 +1090,14 @@ namespace BMA.EHR.Leave.Service.Controllers
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
         public async Task<ActionResult<ResponseObject>> GetTimeRecordAsync([Required] Guid id)
         {
-            var imgUrl = $"{_configuration["MinIO:Endpoint"]}{_configuration["MinIO:BucketName"]}";
+            var getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_CHECKIN");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
 
+            var imgUrl = $"{_configuration["MinIO:Endpoint"]}{_configuration["MinIO:BucketName"]}";
 
             var d = (await _processUserTimeStampRepository.GetTimeStampById(id));
             if (d == null)
@@ -1145,6 +1194,12 @@ namespace BMA.EHR.Leave.Service.Controllers
         [AllowAnonymous]
         public async Task<ActionResult<ResponseObject>> GetTimeRecordAsync([Required] DateTime startDate, [Required] DateTime endDate, int page = 1, int pageSize = 10, string status = "NORMAL", string keyword = "")
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_CHECKIN");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             if (startDate.Date > endDate.Date)
             {
                 return Error(new Exception("วันเริ่มต้นต้องมีค่าน้อยกว่าหรือเท่ากับวันสิ้นสุด"), StatusCodes.Status400BadRequest);
@@ -1322,7 +1377,12 @@ namespace BMA.EHR.Leave.Service.Controllers
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
         public async Task<ActionResult<ResponseObject>> SearchProfileAsync([FromBody] DTOs.ChangeRound.SearchProfileDto req)
         {
-
+            var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_WORK_ROUND_EDIT");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var profile = await _userProfileRepository.SearchProfile(req.CitizenId, req.FirstName, req.LastName, AccessToken ?? "");
 
             var pagedProfile = profile.Skip((req.Page - 1) * req.PageSize).Take(req.PageSize).ToList();
@@ -1369,6 +1429,12 @@ namespace BMA.EHR.Leave.Service.Controllers
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
         public async Task<ActionResult<ResponseObject>> CreateChangeRoundAsync([FromBody] CreateChangeRoundDto req)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("UPDATE", "SYS_WORK_ROUND_EDIT");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var currentDate = DateTime.Now.Date;
             if (req.EffectiveDate.Date < currentDate)
             {
@@ -1410,6 +1476,12 @@ namespace BMA.EHR.Leave.Service.Controllers
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
         public async Task<ActionResult<ResponseObject>> GetChangeRoundHistoryByProfileIdAsync(Guid id, int page = 1, int pageSize = 10, string keyword = "")
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_WORK_ROUND_EDIT");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var data = await _userDutyTimeRepository.GetListByProfileIdAsync(id);
 
             var resultSet = new List<ChangeRoundHistoryDto>();
@@ -1498,6 +1570,13 @@ namespace BMA.EHR.Leave.Service.Controllers
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
         public async Task<ActionResult<ResponseObject>> GetAdditionalCheckRequestAsync([Required] int year, [Required] int month, [Required] int page = 1, [Required] int pageSize = 10, string keyword = "")
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_CHECKIN_SPECIAL");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
+
             var rawData = await _additionalCheckRequestRepository.GetAdditionalCheckRequests(year, month);
 
             var getDefaultRound = await _dutyTimeRepository.GetDefaultAsync();
@@ -1605,6 +1684,12 @@ namespace BMA.EHR.Leave.Service.Controllers
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
         public async Task<ActionResult<ResponseObject>> ApproveRequestAsync(Guid id, [FromBody] ApproveRequestDto req)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("UPDATE", "SYS_CHECKIN_SPECIAL");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             if (req.Reason == null || req.Reason == string.Empty)
             {
                 return Error("กรุณากรอกเหตุผล", StatusCodes.Status400BadRequest);
@@ -1701,6 +1786,12 @@ namespace BMA.EHR.Leave.Service.Controllers
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
         public async Task<ActionResult<ResponseObject>> RejectRequestAsync(Guid id, [FromBody] RejectRequestDto req)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("UPDATE", "SYS_CHECKIN_SPECIAL");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             if (req.Reason == null || req.Reason == string.Empty)
             {
                 return Error("กรุณากรอกเหตุผล", StatusCodes.Status400BadRequest);
@@ -1745,6 +1836,13 @@ namespace BMA.EHR.Leave.Service.Controllers
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
         public async Task<ActionResult<ResponseObject>> GetLogRecordAsync([Required] Guid id)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_CHECKIN");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
+
             var imgUrl = $"{_configuration["MinIO:Endpoint"]}{_configuration["MinIO:BucketName"]}";
 
 
@@ -1963,6 +2061,12 @@ namespace BMA.EHR.Leave.Service.Controllers
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
         public async Task<ActionResult<ResponseObject>> GetCalendarByProfileAsync(Guid id)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_WORK_ROUND_EDIT");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var data = await _userCalendarRepository.GetExist(id);
             if (data == null)
                 return Success(new { Work = "NORMAL" });
@@ -1984,6 +2088,12 @@ namespace BMA.EHR.Leave.Service.Controllers
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
         public async Task<ActionResult<ResponseObject>> UpdateCalendarByProfileAsync(Guid id, [FromBody] UpdateCalendarDto req)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("UPDATE", "SYS_WORK_ROUND_EDIT");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var data = await _userCalendarRepository.GetExist(id);
             if (data != null)
             {
@@ -2023,6 +2133,12 @@ namespace BMA.EHR.Leave.Service.Controllers
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
         public async Task<ActionResult<ResponseObject>> EditCheckInStatusAsync(Guid id, [FromBody] EditCheckInStatusDto req)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("UPDATE", "SYS_CHECKIN");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var data = await _processUserTimeStampRepository.GetByIdAsync(id);
             if (data == null)
                 return Error(GlobalMessages.DataNotFound);
diff --git a/BMA.EHR.Leave/Controllers/LeaveReportController.cs b/BMA.EHR.Leave/Controllers/LeaveReportController.cs
index 3e9a6f16..c8a2ca55 100644
--- a/BMA.EHR.Leave/Controllers/LeaveReportController.cs
+++ b/BMA.EHR.Leave/Controllers/LeaveReportController.cs
@@ -10,6 +10,8 @@ using BMA.EHR.Domain.Shared;
 using BMA.EHR.Leave.Service.DTOs.Reports;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
+using Newtonsoft.Json.Linq;
+using Newtonsoft.Json;
 using Swashbuckle.AspNetCore.Annotations;
 using System.Globalization;
 using System.Security.Claims;
@@ -37,6 +39,7 @@ namespace BMA.EHR.Leave.Service.Controllers
         private readonly HolidayRepository _holidayRepository;
         private readonly UserCalendarRepository _userCalendarRepository;
         private readonly IHttpContextAccessor _httpContextAccessor;
+        private readonly PermissionRepository _permission;
 
         #endregion
 
@@ -51,7 +54,8 @@ namespace BMA.EHR.Leave.Service.Controllers
                                      UserDutyTimeRepository userDutyTimeRepository,
                                      HolidayRepository holidayRepository,
                                      UserCalendarRepository userCalendarRepository,
-                                     IHttpContextAccessor httpContextAccessor)
+                                     IHttpContextAccessor httpContextAccessor,
+                                     PermissionRepository permission)
         {
             _leaveRequestRepository = leaveRequestRepository;
             _userProfileRepository = userProfileRepository;
@@ -63,6 +67,7 @@ namespace BMA.EHR.Leave.Service.Controllers
             _holidayRepository = holidayRepository;
             _userCalendarRepository = userCalendarRepository;
             _httpContextAccessor = httpContextAccessor;
+            _permission = permission;
         }
 
         #endregion
@@ -743,6 +748,12 @@ namespace BMA.EHR.Leave.Service.Controllers
         {
             try
             {
+                var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_LEAVE_REPORT");
+                var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+                if (jsonData["status"]?.ToString() != "200")
+                {
+                    return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+                }
                 //var profile = await _userProfileRepository.SearchProfile(null, null, null);
                 var profile = await _userProfileRepository.GetProfileWithKeycloak(AccessToken);
                 if (profile.Count > 0)
@@ -915,6 +926,12 @@ namespace BMA.EHR.Leave.Service.Controllers
         {
             try
             {
+                var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_LEAVE_REPORT");
+                var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+                if (jsonData["status"]?.ToString() != "200")
+                {
+                    return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+                }
                 var profile = await _userProfileRepository.SearchProfileEmployee(null, null, null, AccessToken ?? "");
                 var count = 1;
                 var employees = new List<dynamic>();
diff --git a/BMA.EHR.Leave/Controllers/LeaveRequestController.cs b/BMA.EHR.Leave/Controllers/LeaveRequestController.cs
index 3bba1d70..4e38fcae 100644
--- a/BMA.EHR.Leave/Controllers/LeaveRequestController.cs
+++ b/BMA.EHR.Leave/Controllers/LeaveRequestController.cs
@@ -13,6 +13,8 @@ using BMA.EHR.Leave.Service.DTOs.LeaveRequest;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.EntityFrameworkCore;
+using Newtonsoft.Json.Linq;
+using Newtonsoft.Json;
 using Swashbuckle.AspNetCore.Annotations;
 using System.Security.Claims;
 
@@ -39,6 +41,7 @@ namespace BMA.EHR.Leave.Service.Controllers
         private readonly HolidayRepository _holidayRepository;
         private readonly CommandRepository _commandRepository;
         private readonly UserCalendarRepository _userCalendarRepository;
+        private readonly PermissionRepository _permission;
 
         private const string APPROVE_STEP_CREATE = "st1";
         private const string APPROVE_STEP_OFFICER_APPROVE = "st2";
@@ -60,7 +63,8 @@ namespace BMA.EHR.Leave.Service.Controllers
             MinIOLeaveService minIOService,
             HolidayRepository holidayRepository,
             CommandRepository commandRepository,
-            UserCalendarRepository userCalendarRepository)
+            UserCalendarRepository userCalendarRepository,
+            PermissionRepository permission)
         {
             _context = context;
             _httpContextAccessor = httpContextAccessor;
@@ -73,6 +77,7 @@ namespace BMA.EHR.Leave.Service.Controllers
             _holidayRepository = holidayRepository;
             _commandRepository = commandRepository;
             _userCalendarRepository = userCalendarRepository;
+            _permission = permission;
         }
 
         #endregion
@@ -1088,6 +1093,12 @@ namespace BMA.EHR.Leave.Service.Controllers
         public async Task<ActionResult<ResponseObject>> GetLeaveRequestForAdminAsync(
             [FromBody] GetLeaveRequestForAdminDto req)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_LEAVE_LIST");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var rawData = await _leaveRequestRepository.GetLeaveRequestForAdminAsync(req.Year, req.Type, req.Status, req.StartDate, req.EndDate);
 
             var result = new List<GetLeaveRequestForAdminResultDto>();
@@ -1303,6 +1314,12 @@ namespace BMA.EHR.Leave.Service.Controllers
         public async Task<ActionResult<ResponseObject>> ApproveCancelLeaveRequestAsync(Guid id,
             [FromBody] CancelLeaveRequestApproveDto req)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("UPDATE", "SYS_LEAVE_LIST");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             await _leaveRequestRepository.ApproveCancelLeaveRequestAsync(id, req.Reason ?? "");
 
             return Success();
@@ -1324,6 +1341,12 @@ namespace BMA.EHR.Leave.Service.Controllers
         public async Task<ActionResult<ResponseObject>> RejectCancelLeaveRequestAsync(Guid id,
             [FromBody] CancelLeaveRequestApproveDto req)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("UPDATE", "SYS_LEAVE_LIST");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             await _leaveRequestRepository.RejectCancelLeaveRequestAsync(id, req.Reason ?? "");
 
             return Success();
@@ -1343,6 +1366,12 @@ namespace BMA.EHR.Leave.Service.Controllers
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
         public async Task<ActionResult<ResponseObject>> OfficerApproveLeaveRequestAsync(Guid id)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("UPDATE", "SYS_LEAVE_LIST");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             await _leaveRequestRepository.OfficerApproveLeaveRequest(id);
 
             return Success();
@@ -1363,6 +1392,12 @@ namespace BMA.EHR.Leave.Service.Controllers
         public async Task<ActionResult<ResponseObject>> CommanderApproveLeaveRequestAsync(Guid id,
             [FromBody] LeaveRequestApproveDto req)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("UPDATE", "SYS_LEAVE_LIST");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             await _leaveRequestRepository.CommanderApproveLeaveRequest(id, req.Reason ?? "");
 
             return Success();
@@ -1383,6 +1418,12 @@ namespace BMA.EHR.Leave.Service.Controllers
         public async Task<ActionResult<ResponseObject>> ApproveLeaveRequestAsync(Guid id,
             [FromBody] LeaveRequestApproveDto req)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("UPDATE", "SYS_LEAVE_LIST");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             await _leaveRequestRepository.ApproveLeaveRequest(id, req.Reason ?? "");
 
             return Success();
@@ -1423,6 +1464,12 @@ namespace BMA.EHR.Leave.Service.Controllers
         public async Task<ActionResult<ResponseObject>> RejectLeaveRequestAsync(Guid id,
             [FromBody] LeaveRequestApproveDto req)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("UPDATE", "SYS_LEAVE_LIST");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             await _leaveRequestRepository.RejectLeaveRequest(id, req.Reason ?? "");
 
             return Success();
@@ -1442,6 +1489,13 @@ namespace BMA.EHR.Leave.Service.Controllers
         [ProducesResponseType(StatusCodes.Status500InternalServerError)]
         public async Task<ActionResult<ResponseObject>> GetLeaveRequestForAdminByIdAsync(Guid id)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_LEAVE_LIST");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
+
             var userId = UserId == null ? Guid.Empty : Guid.Parse(UserId);
 
             var rawData = await _leaveRequestRepository.GetByIdAsync(id);
diff --git a/BMA.EHR.Placement.Service/Controllers/PlacementAppointmentController.cs b/BMA.EHR.Placement.Service/Controllers/PlacementAppointmentController.cs
index 08022767..20d533d4 100644
--- a/BMA.EHR.Placement.Service/Controllers/PlacementAppointmentController.cs
+++ b/BMA.EHR.Placement.Service/Controllers/PlacementAppointmentController.cs
@@ -69,6 +69,7 @@ namespace BMA.EHR.Placement.Service.Controllers
         /// <response code="401">ไม่ได้ Login เข้าระบบ</response>
         /// <response code="500">เมื่อเกิดข้อผิดพลาดในการทำงาน</response>
         [HttpGet()]
+        // public async Task<ActionResult<ResponseObject>> GetListByAdmin(int page = 1, int pageSize = 10, string keyword = "")
         public async Task<ActionResult<ResponseObject>> GetListByAdmin()
         {
             var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_PROMOTION_OFFICER");
@@ -164,6 +165,29 @@ namespace BMA.EHR.Placement.Service.Controllers
             // if (PlacementAdmin == true)
             //     placementAppointments.Where(x => x.Status.Trim().ToUpper().Contains("PENDING"));
 
+            // if (keyword != "")
+            // {
+            //     var data = placementAppointments.Where(x =>
+            //             (x.citizenId != null && x.citizenId.Contains(keyword)) ||
+            //             (x.prefix != null && x.prefix.Contains(keyword)) ||
+            //             (x.firstName != null && x.firstName.Contains(keyword)) ||
+            //             (x.lastName != null && x.lastName.Contains(keyword)) ||
+            //             (x.rootShortNameOld != null && x.rootShortNameOld.Contains(keyword)) ||
+            //             (x.posMasterNoOld != null && x.posMasterNoOld.ToString().Contains(keyword)) ||
+            //             (x.OrganizationOld != null && x.OrganizationOld.Contains(keyword)) ||
+            //             (x.posTypeNameOld != null && x.posTypeNameOld.Contains(keyword)) ||
+            //             (x.posLevelNameOld != null && x.posLevelNameOld.Contains(keyword)) ||
+            //             (x.OrganizationPositionOld != null && x.OrganizationPositionOld.Contains(keyword)) ||
+            //             (x.Reason != null && x.Reason.Contains(keyword)) ||
+            //             (x.nodeName != null && x.nodeName.Contains(keyword)))
+            //         .OrderByDescending(x => x.CreatedAt)
+            //         .Skip((page - 1) * pageSize)
+            //         .Take(pageSize)
+            //         .ToList();
+
+            //     placementAppointments = data;
+            // }
+
             return Success(placementAppointments);
         }
 
diff --git a/BMA.EHR.Placement.Service/Controllers/PlacementAppointmentEmployeeController.cs b/BMA.EHR.Placement.Service/Controllers/PlacementAppointmentEmployeeController.cs
index 351a5995..6a0ea4c7 100644
--- a/BMA.EHR.Placement.Service/Controllers/PlacementAppointmentEmployeeController.cs
+++ b/BMA.EHR.Placement.Service/Controllers/PlacementAppointmentEmployeeController.cs
@@ -70,6 +70,7 @@ namespace BMA.EHR.Placement.Service.Controllers
         /// <response code="500">เมื่อเกิดข้อผิดพลาดในการทำงาน</response>
         [HttpGet()]
         public async Task<ActionResult<ResponseObject>> GetListByAdmin()
+        // public async Task<ActionResult<ResponseObject>> GetListByAdmin(int page = 1, int pageSize = 10, string keyword = "")
         {
             var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_PROMOTION_EMP");
             var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
@@ -161,6 +162,28 @@ namespace BMA.EHR.Placement.Service.Controllers
                             p.typeCommand,
                         })
                         .ToListAsync();
+            // if (keyword != "")
+            // {
+            //     var data = placementAppointments.Where(x =>
+            //             (x.citizenId != null && x.citizenId.Contains(keyword)) ||
+            //             (x.prefix != null && x.prefix.Contains(keyword)) ||
+            //             (x.firstName != null && x.firstName.Contains(keyword)) ||
+            //             (x.lastName != null && x.lastName.Contains(keyword)) ||
+            //             (x.rootShortNameOld != null && x.rootShortNameOld.Contains(keyword)) ||
+            //             (x.posMasterNoOld != null && x.posMasterNoOld.ToString().Contains(keyword)) ||
+            //             (x.OrganizationOld != null && x.OrganizationOld.Contains(keyword)) ||
+            //             (x.posTypeNameOld != null && x.posTypeNameOld.Contains(keyword)) ||
+            //             (x.posLevelNameOld != null && x.posLevelNameOld.Contains(keyword)) ||
+            //             (x.OrganizationPositionOld != null && x.OrganizationPositionOld.Contains(keyword)) ||
+            //             (x.Reason != null && x.Reason.Contains(keyword)) ||
+            //             (x.nodeName != null && x.nodeName.Contains(keyword)))
+            //         .OrderByDescending(x => x.CreatedAt)
+            //         .Skip((page - 1) * pageSize)
+            //         .Take(pageSize)
+            //         .ToList();
+
+            //     placementAppointments = data;
+            // }
 
             return Success(placementAppointments);
         }
diff --git a/BMA.EHR.Placement.Service/Controllers/PlacementController.cs b/BMA.EHR.Placement.Service/Controllers/PlacementController.cs
index c70632b5..4700c31f 100644
--- a/BMA.EHR.Placement.Service/Controllers/PlacementController.cs
+++ b/BMA.EHR.Placement.Service/Controllers/PlacementController.cs
@@ -17,6 +17,8 @@ using Microsoft.Extensions.Configuration;
 using System.Net.Http.Headers;
 using Newtonsoft.Json;
 using Newtonsoft.Json.Linq;
+using Microsoft.AspNetCore.Http.HttpResults;
+using System.Drawing.Drawing2D;
 
 namespace BMA.EHR.Placement.Service.Controllers
 {
@@ -91,7 +93,14 @@ namespace BMA.EHR.Placement.Service.Controllers
 
         [HttpGet("exam/{year}")]
         public async Task<ActionResult<ResponseObject>> GetExam(int year)
+        // public async Task<ActionResult<ResponseObject>> GetExam(int year, int page = 1, int pageSize = 10, string keyword = "")
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_PLACEMENT_PASS");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var data = await _context.Placements.Where(x => year > 0 ? (x.Year == year) : (x.Year > 0))
             .OrderByDescending(x => x.CreatedAt)
             .Select(x => new
@@ -107,14 +116,33 @@ namespace BMA.EHR.Placement.Service.Controllers
                 AccountEndDate = x.EndDate,
                 AccountExpirationDate = x.EndDate,
                 IsExpired = x.EndDate.Date < DateTime.Now.Date,
+                CreatedAt = x.CreatedAt,
             }).ToListAsync();
+            // if (keyword != "")
+            // {
+            //     var data_ = data.Where(x =>
+            //             (x.ExamRound != null && x.ExamRound.Contains(keyword)) ||
+            //             (x.ExamOrder != null && x.ExamOrder.Contains(keyword)) ||
+            //             (x.NumberOfCandidates != null && x.NumberOfCandidates.ToString().Contains(keyword)))
+            //         .OrderByDescending(x => x.CreatedAt)
+            //         .Skip((page - 1) * pageSize)
+            //         .Take(pageSize)
+            //         .ToList();
 
+            //     data = data_;
+            // }
             return Success(data);
         }
 
         [HttpGet("pass/{examId:length(36)}")]
         public async Task<ActionResult<ResponseObject>> GetExamByPlacement(Guid examId)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_PLACEMENT_PASS");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             if (PlacementAdmin == true)
             {
                 var data = await _context.PlacementProfiles.Where(x => x.Placement.Id == examId).Select(x => new
diff --git a/BMA.EHR.Placement.Service/Controllers/PlacementOfficerController.cs b/BMA.EHR.Placement.Service/Controllers/PlacementOfficerController.cs
index 24f0b17e..8ad0b7fa 100644
--- a/BMA.EHR.Placement.Service/Controllers/PlacementOfficerController.cs
+++ b/BMA.EHR.Placement.Service/Controllers/PlacementOfficerController.cs
@@ -70,6 +70,7 @@ namespace BMA.EHR.Placement.Service.Controllers
         /// <response code="500">เมื่อเกิดข้อผิดพลาดในการทำงาน</response>
         [HttpGet()]
         public async Task<ActionResult<ResponseObject>> GetListByAdmin()
+        // public async Task<ActionResult<ResponseObject>> GetListByAdmin(int page = 1, int pageSize = 10, string keyword = "")
         {
             var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_TEMPDUTY");
             var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
@@ -142,6 +143,26 @@ namespace BMA.EHR.Placement.Service.Controllers
                             })
                             .ToListAsync();
 
+                // if (keyword != "")
+                // {
+                //     var data = placementOfficers.Where(x =>
+                //             (x.prefix != null && x.prefix.Contains(keyword)) ||
+                //             (x.firstName != null && x.firstName.Contains(keyword)) ||
+                //             (x.lastName != null && x.lastName.Contains(keyword)) ||
+                //             (x.rootShortNameOld != null && x.rootShortNameOld.Contains(keyword)) ||
+                //             (x.posMasterNoOld != null && x.posMasterNoOld.ToString().Contains(keyword)) ||
+                //             (x.PositionOld != null && x.PositionOld.Contains(keyword)) ||
+                //             (x.posTypeNameOld != null && x.posTypeNameOld.Contains(keyword)) ||
+                //             (x.posLevelNameOld != null && x.posLevelNameOld.Contains(keyword)) ||
+                //             (x.Organization != null && x.Organization.Contains(keyword)))
+                //         .OrderByDescending(x => x.CreatedAt)
+                //         .Skip((page - 1) * pageSize)
+                //         .Take(pageSize)
+                //         .ToList();
+
+                //     placementOfficers = data;
+                // }
+
                 return Success(placementOfficers);
             }
         }
diff --git a/BMA.EHR.Placement.Service/Controllers/PlacementReceiveController.cs b/BMA.EHR.Placement.Service/Controllers/PlacementReceiveController.cs
index a366d428..7bf549b9 100644
--- a/BMA.EHR.Placement.Service/Controllers/PlacementReceiveController.cs
+++ b/BMA.EHR.Placement.Service/Controllers/PlacementReceiveController.cs
@@ -69,7 +69,8 @@ namespace BMA.EHR.Placement.Service.Controllers
         /// <response code="401">ไม่ได้ Login เข้าระบบ</response>
         /// <response code="500">เมื่อเกิดข้อผิดพลาดในการทำงาน</response>
         [HttpGet()]
-        public async Task<ActionResult<ResponseObject>> GetListByAdmin(int page = 1, int pageSize = 10, string keyword = "")
+        public async Task<ActionResult<ResponseObject>> GetListByAdmin()
+        // public async Task<ActionResult<ResponseObject>> GetListByAdmin(int page = 1, int pageSize = 10, string keyword = "")
         {
             var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_TRANSFER_RECEIVE");
             var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
@@ -180,23 +181,24 @@ namespace BMA.EHR.Placement.Service.Controllers
                         .ToListAsync();
             // if (PlacementAdmin == true)
             //     placementReceives.Where(x => x.Status.Trim().ToUpper().Contains("PENDING"));
-            if (keyword != "")
-            {
-                var data = placementReceives.Where(x =>
-                        (x.prefix != null && x.prefix.Contains(keyword)) ||
-                        (x.firstName != null && x.firstName.Contains(keyword)) ||
-                        (x.lastName != null && x.lastName.Contains(keyword)) ||
-                        (x.citizenId != null && x.citizenId.Contains(keyword)) ||
-                        (x.root != null && x.root.Contains(keyword)) ||
-                        (x.nodeName != null && x.nodeName.Contains(keyword)) ||
-                        (x.nodeShortName != null && x.nodeShortName.Contains(keyword)))
-                    .OrderByDescending(x => x.CreatedAt)
-                    .Skip((page - 1) * pageSize)
-                    .Take(pageSize)
-                    .ToList();
 
-                placementReceives = data;
-            }
+            // if (keyword != "")
+            // {
+            //     var data = placementReceives.Where(x =>
+            //             (x.prefix != null && x.prefix.Contains(keyword)) ||
+            //             (x.firstName != null && x.firstName.Contains(keyword)) ||
+            //             (x.lastName != null && x.lastName.Contains(keyword)) ||
+            //             (x.citizenId != null && x.citizenId.Contains(keyword)) ||
+            //             (x.root != null && x.root.Contains(keyword)) ||
+            //             (x.nodeName != null && x.nodeName.Contains(keyword)) ||
+            //             (x.nodeShortName != null && x.nodeShortName.Contains(keyword)))
+            //         .OrderByDescending(x => x.CreatedAt)
+            //         .Skip((page - 1) * pageSize)
+            //         .Take(pageSize)
+            //         .ToList();
+
+            //     placementReceives = data;
+            // }
             return Success(placementReceives);
             // }
         }
diff --git a/BMA.EHR.Placement.Service/Controllers/PlacementRepatriationController.cs b/BMA.EHR.Placement.Service/Controllers/PlacementRepatriationController.cs
index c8ae57ee..abb7055c 100644
--- a/BMA.EHR.Placement.Service/Controllers/PlacementRepatriationController.cs
+++ b/BMA.EHR.Placement.Service/Controllers/PlacementRepatriationController.cs
@@ -71,6 +71,7 @@ namespace BMA.EHR.Placement.Service.Controllers
         /// <response code="500">เมื่อเกิดข้อผิดพลาดในการทำงาน</response>
         [HttpGet()]
         public async Task<ActionResult<ResponseObject>> GetListByAdmin()
+        // public async Task<ActionResult<ResponseObject>> GetListByAdmin(int page = 1, int pageSize = 10, string keyword = "")
         {
             var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_TEMPDUTY2");
             var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
@@ -148,6 +149,27 @@ namespace BMA.EHR.Placement.Service.Controllers
                             })
                             .ToListAsync();
 
+                // if (keyword != "")
+                // {
+                //     var data = placementRepatriations.Where(x =>
+                //             (x.prefix != null && x.prefix.Contains(keyword)) ||
+                //             (x.firstName != null && x.firstName.Contains(keyword)) ||
+                //             (x.lastName != null && x.lastName.Contains(keyword)) ||
+                //             (x.rootShortNameOld != null && x.rootShortNameOld.Contains(keyword)) ||
+                //             (x.posMasterNoOld != null && x.posMasterNoOld.ToString().Contains(keyword)) ||
+                //             (x.PositionOld != null && x.PositionOld.Contains(keyword)) ||
+                //             (x.posTypeNameOld != null && x.posTypeNameOld.Contains(keyword)) ||
+                //             (x.posLevelNameOld != null && x.posLevelNameOld.Contains(keyword)) ||
+                //             (x.OrganizationPositionOld != null && x.OrganizationPositionOld.Contains(keyword)) ||
+                //             (x.Organization != null && x.Organization.Contains(keyword)))
+                //         .OrderByDescending(x => x.CreatedAt)
+                //         .Skip((page - 1) * pageSize)
+                //         .Take(pageSize)
+                //         .ToList();
+
+                //     placementRepatriations = data;
+                // }
+
                 return Success(placementRepatriations);
             }
         }
diff --git a/BMA.EHR.Placement.Service/Controllers/PlacementTransferController.cs b/BMA.EHR.Placement.Service/Controllers/PlacementTransferController.cs
index 38b9c196..000adcf0 100644
--- a/BMA.EHR.Placement.Service/Controllers/PlacementTransferController.cs
+++ b/BMA.EHR.Placement.Service/Controllers/PlacementTransferController.cs
@@ -143,6 +143,7 @@ namespace BMA.EHR.Placement.Service.Controllers
         /// <response code="500">เมื่อเกิดข้อผิดพลาดในการทำงาน</response>
         [HttpGet()]
         public async Task<ActionResult<ResponseObject>> GetListByAdmin()
+        // public async Task<ActionResult<ResponseObject>> GetListByAdmin(int page = 1, int pageSize = 10, string keyword = "")
         {
             var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_TRANSFER_REQ");
             var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
@@ -219,6 +220,22 @@ namespace BMA.EHR.Placement.Service.Controllers
                             })
                             .ToListAsync();
 
+                // if (keyword != "")
+                // {
+                //     var data = placementTransfers.Where(x =>
+                //             (x.prefix != null && x.prefix.Contains(keyword)) ||
+                //             (x.firstName != null && x.firstName.Contains(keyword)) ||
+                //             (x.lastName != null && x.lastName.Contains(keyword)) ||
+                //             (x.posTypeNameOld != null && x.posTypeNameOld.Contains(keyword)) ||
+                //             (x.posLevelNameOld != null && x.posLevelNameOld.Contains(keyword)))
+                //         .OrderByDescending(x => x.CreatedAt)
+                //         .Skip((page - 1) * pageSize)
+                //         .Take(pageSize)
+                //         .ToList();
+
+                //     placementTransfers = data;
+                // }
+
                 return Success(placementTransfers);
             }
         }
@@ -515,7 +532,7 @@ namespace BMA.EHR.Placement.Service.Controllers
                 placementTransfer.posTypeNameOld = org.result.posTypeName;
                 placementTransfer.posLevelOldId = org.result.posLevelId;
                 placementTransfer.posLevelNameOld = org.result.posLevelName;
-
+                placementTransfer.AmountOld = org.result.salary;
                 placementTransfer.PositionOld = org.result.position;
                 placementTransfer.PositionLevelOld = org.result.posLevelName;
                 placementTransfer.PositionTypeOld = org.result.posTypeName;
diff --git a/BMA.EHR.Placement.Service/Requests/OrgRequest.cs b/BMA.EHR.Placement.Service/Requests/OrgRequest.cs
index f0d858e4..54263203 100644
--- a/BMA.EHR.Placement.Service/Requests/OrgRequest.cs
+++ b/BMA.EHR.Placement.Service/Requests/OrgRequest.cs
@@ -40,5 +40,7 @@ namespace BMA.EHR.Placement.Service.Requests
         public string? posTypeName { get; set; }
         public string? posLevelId { get; set; }
         public string? posLevelName { get; set; }
+        public double? salary { get; set; }
+
     }
 }
\ No newline at end of file
diff --git a/BMA.EHR.Report.Service/Controllers/CandidateReportController.cs b/BMA.EHR.Report.Service/Controllers/CandidateReportController.cs
index b825ee69..9952d6d0 100644
--- a/BMA.EHR.Report.Service/Controllers/CandidateReportController.cs
+++ b/BMA.EHR.Report.Service/Controllers/CandidateReportController.cs
@@ -52,47 +52,105 @@ namespace BMA.EHR.Report.Service.Controllers
             var avatar = await _service.GetExamAvatarCandidateAsync(Id);
             if (candidate != null)
             {
-                var mimeType = "";
-                switch (exportType.Trim().ToLower())
-                {
-                    case "pdf": mimeType = "application/pdf"; break;
-                    case "docx": mimeType = "application/vnd.openxmlformats-officedocument.wordprocessingml.document"; break;
-                    case "xlsx": mimeType = "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"; break;
-                }
+                //var mimeType = "";
+                //switch (exportType.Trim().ToLower())
+                //{
+                //    case "pdf": mimeType = "application/pdf"; break;
+                //    case "docx": mimeType = "application/vnd.openxmlformats-officedocument.wordprocessingml.document"; break;
+                //    case "xlsx": mimeType = "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet"; break;
+                //}
 
-                var rptFile = System.IO.Path.Combine(_hostingEnvironment.ContentRootPath, "Reports", $"ผลสอบคัดเลือกรายบุคคล.trdp");
-                ReportPackager reportPacker = new ReportPackager();
-                Telerik.Reporting.Report? report = null;
-                using (var sourceStream = System.IO.File.OpenRead(rptFile))
-                {
-                    report = (Telerik.Reporting.Report)reportPacker.UnpackageDocument(sourceStream);
-                }
-                report.DataSource = candidate;
+                //var rptFile = System.IO.Path.Combine(_hostingEnvironment.ContentRootPath, "Reports", $"ผลสอบคัดเลือกรายบุคคล.trdp");
+                //ReportPackager reportPacker = new ReportPackager();
+                //Telerik.Reporting.Report? report = null;
+                //using (var sourceStream = System.IO.File.OpenRead(rptFile))
+                //{
+                //    report = (Telerik.Reporting.Report)reportPacker.UnpackageDocument(sourceStream);
+                //}
+                //report.DataSource = candidate;
 
-                var tblData = (Telerik.Reporting.Table)report.Items["detailSection1"].Items["tblData"];
-                tblData.DataSource = careers;
+                //var tblData = (Telerik.Reporting.Table)report.Items["detailSection1"].Items["tblData"];
+                //tblData.DataSource = careers;
 
-                Console.WriteLine("000000");
-                if (avatar != Guid.Parse("00000000-0000-0000-0000-000000000000"))
-                {
-                    try
-                    {
-                        // Get avatar Image
-                        var picContent = await _minIOExamService.DownloadFileAsync(avatar);
-                        var pictureBox = (Telerik.Reporting.PictureBox)report.Items["detailSection1"].Items["picAvatar"];
-                        pictureBox.Value = Image.FromStream(new MemoryStream(picContent.FileContent));
-                    }
-                    catch { }
-                }
+                //Console.WriteLine("000000");
+                //if (avatar != Guid.Parse("00000000-0000-0000-0000-000000000000"))
+                //{
+                //    try
+                //    {
+                //        // Get avatar Image
+                //var picContent = await _minIOExamService.DownloadFileAsync(avatar);
+                //var pictureBox = (Telerik.Reporting.PictureBox)report.Items["detailSection1"].Items["picAvatar"];
+                //pictureBox.Value = Image.FromStream(new MemoryStream(picContent.FileContent));
+                //    }
+                //    catch { }
+                //}
 
-                System.Collections.Hashtable deviceInfo = new System.Collections.Hashtable();
-                InstanceReportSource instanceReportSource = new InstanceReportSource()
+                //System.Collections.Hashtable deviceInfo = new System.Collections.Hashtable();
+                //InstanceReportSource instanceReportSource = new InstanceReportSource()
+                //{
+                //    ReportDocument = report,
+                //};
+                //ReportProcessor reportProcessor = new ReportProcessor(_configuration);
+                //RenderingResult result = reportProcessor.RenderReport($"{exportType}", instanceReportSource, deviceInfo);
+                //return File(result.DocumentBytes, mimeType, $"ใบสมัครสอบคัดเลือก.{exportType.Trim().ToLower()}");
+                var mapData = new
                 {
-                    ReportDocument = report,
+                    Id = candidate.GetType().GetProperty("Id").GetValue(candidate),
+                    AvatarId = candidate.GetType().GetProperty("AvatarId").GetValue(candidate),
+                    PeriodExamName = candidate.GetType().GetProperty("PeriodExamName").GetValue(candidate),
+                    PeriodExamRound = candidate.GetType().GetProperty("PeriodExamRound").GetValue(candidate),
+                    PeriodExamYear = candidate.GetType().GetProperty("PeriodExamYear").GetValue(candidate),
+                    PositionName = candidate.GetType().GetProperty("PositionName").GetValue(candidate),
+                    PositionLevelName = candidate.GetType().GetProperty("PositionLevelName").GetValue(candidate),
+                    FullName = candidate.GetType().GetProperty("FullName").GetValue(candidate),
+                    Nationality = candidate.GetType().GetProperty("Nationality").GetValue(candidate),
+                    Religion = candidate.GetType().GetProperty("Religion").GetValue(candidate),
+                    CitizenId = candidate.GetType().GetProperty("CitizenId").GetValue(candidate),
+                    DateOfBirth = candidate.GetType().GetProperty("DateOfBirth").GetValue(candidate),
+                    Age = candidate.GetType().GetProperty("Age").GetValue(candidate),
+                    EducationLevelExamName = candidate.GetType().GetProperty("EducationLevelExamName").GetValue(candidate),
+                    EducationName = candidate.GetType().GetProperty("EducationName").GetValue(candidate),
+                    EducationMajor = candidate.GetType().GetProperty("EducationMajor").GetValue(candidate),
+                    EducationLocation = candidate.GetType().GetProperty("EducationLocation").GetValue(candidate),
+                    EducationEndDate = candidate.GetType().GetProperty("EducationEndDate").GetValue(candidate),
+                    EducationScores = candidate.GetType().GetProperty("EducationScores").GetValue(candidate),
+                    EducationType = candidate.GetType().GetProperty("EducationType").GetValue(candidate),
+                    EducationLevelHighName = candidate.GetType().GetProperty("EducationLevelHighName").GetValue(candidate),
+                    ExamIdenNumber = candidate.GetType().GetProperty("ExamIdenNumber").GetValue(candidate),
+                    OccupationPositionType = candidate.GetType().GetProperty("OccupationPositionType").GetValue(candidate),
+                    OccupationPosition = candidate.GetType().GetProperty("OccupationPosition").GetValue(candidate),
+                    OccupationSalary = candidate.GetType().GetProperty("OccupationSalary").GetValue(candidate),
+                    OccupationGroup = candidate.GetType().GetProperty("OccupationGroup").GetValue(candidate),
+                    OccupationPile = candidate.GetType().GetProperty("OccupationPile").GetValue(candidate),
+                    OccupationOrg = candidate.GetType().GetProperty("OccupationOrg").GetValue(candidate),
+                    OccupationTelephone = candidate.GetType().GetProperty("OccupationTelephone").GetValue(candidate),
+                    CareersTotal = candidate.GetType().GetProperty("CareersTotal").GetValue(candidate),
+                    RegistAddress = candidate.GetType().GetProperty("RegistAddress").GetValue(candidate),
+                    RegistProvinceName = candidate.GetType().GetProperty("RegistProvinceName").GetValue(candidate),
+                    RegistDistrictName = candidate.GetType().GetProperty("RegistDistrictName").GetValue(candidate),
+                    RegistSubDistrictName = candidate.GetType().GetProperty("RegistSubDistrictName").GetValue(candidate),
+                    RegistZipCode = candidate.GetType().GetProperty("RegistZipCode").GetValue(candidate),
+                    CurrentAddress = candidate.GetType().GetProperty("CurrentAddress").GetValue(candidate),
+                    CurrentProvinceName = candidate.GetType().GetProperty("CurrentProvinceName").GetValue(candidate),
+                    CurrentDistrictName = candidate.GetType().GetProperty("CurrentDistrictName").GetValue(candidate),
+                    CurrentSubDistrictName = candidate.GetType().GetProperty("CurrentSubDistrictName").GetValue(candidate),
+                    CurrentZipCode = candidate.GetType().GetProperty("CurrentZipCode").GetValue(candidate),
+                    Telephone = candidate.GetType().GetProperty("Telephone").GetValue(candidate),
+                    Email = candidate.GetType().GetProperty("Email").GetValue(candidate),
+                    ContactFullName = candidate.GetType().GetProperty("ContactFullName").GetValue(candidate),
+                    ContactRelations = candidate.GetType().GetProperty("ContactRelations").GetValue(candidate),
+                    ContactTel = candidate.GetType().GetProperty("ContactTel").GetValue(candidate),
+                    RegisterDate = candidate.GetType().GetProperty("RegisterDate").GetValue(candidate),
+                    Url = "https://bma-ehr.frappet.synology.me/assets/avatar_user-89f22423.jpg",
+                    Careers = careers,
                 };
-                ReportProcessor reportProcessor = new ReportProcessor(_configuration);
-                RenderingResult result = reportProcessor.RenderReport($"{exportType}", instanceReportSource, deviceInfo);
-                return File(result.DocumentBytes, mimeType, $"ใบสมัครสอบคัดเลือก.{exportType.Trim().ToLower()}");
+
+                var data = new {
+                    template = "ผลสอบคัดเลือกรายบุคคล",
+                    reportName = "docx-report",
+                    data = mapData
+                };
+                return Success(data);
             }
             else
             {
diff --git a/BMA.EHR.Report.Service/Controllers/InsigniaReportController.cs b/BMA.EHR.Report.Service/Controllers/InsigniaReportController.cs
index 52fdaec3..54526364 100644
--- a/BMA.EHR.Report.Service/Controllers/InsigniaReportController.cs
+++ b/BMA.EHR.Report.Service/Controllers/InsigniaReportController.cs
@@ -3,9 +3,12 @@ using BMA.EHR.Domain.Common;
 using BMA.EHR.Domain.Extensions;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
+using Newtonsoft.Json.Linq;
+using Newtonsoft.Json;
 using Swashbuckle.AspNetCore.Annotations;
 using Telerik.Reporting;
 using Telerik.Reporting.Processing;
+using BMA.EHR.Application.Repositories;
 
 namespace BMA.EHR.Report.Service.Controllers
 {
@@ -23,19 +26,20 @@ namespace BMA.EHR.Report.Service.Controllers
         private readonly IConfiguration _configuration;
         private readonly InsigniaReportRepository _repository;
         private readonly GenericReportGenerator _reportGenerator;
-
+        private readonly PermissionRepository _permission;
 
         #endregion
 
         #region " Constuctor and Destructor "
 
-        public InsigniaReportController(IWebHostEnvironment hostingEnvironment, IConfiguration configuration, InsigniaReportRepository repository, GenericReportGenerator reportGenerator)
+        public InsigniaReportController(IWebHostEnvironment hostingEnvironment, IConfiguration configuration, InsigniaReportRepository repository, GenericReportGenerator reportGenerator, PermissionRepository permission)
         {
 
             _hostingEnvironment = hostingEnvironment;
             _configuration = configuration;
             _repository = repository;
             _reportGenerator = reportGenerator;
+            _permission = permission;
         }
 
         #endregion
@@ -384,7 +388,12 @@ namespace BMA.EHR.Report.Service.Controllers
         {
             try
             {
-
+                var getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_INSIGNIA_REPORT");
+                var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+                if (jsonData["status"]?.ToString() != "200")
+                {
+                    return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+                }
                 var mimeType = "";
                 switch (exportType.Trim().ToLower())
                 {
@@ -421,6 +430,12 @@ namespace BMA.EHR.Report.Service.Controllers
         {
             try
             {
+                var getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_INSIGNIA_REPORT");
+                var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+                if (jsonData["status"]?.ToString() != "200")
+                {
+                    return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+                }
                 var data = await _repository.GetSummaryCoinReport(id);
                 var SummaryTotal = await _repository.GetSummaryTotalCoinReport(id);
                 var YearInsignalPeriod = await _repository.GetYearInsigniaPeriod(id);
@@ -493,6 +508,13 @@ namespace BMA.EHR.Report.Service.Controllers
         {
             try
             {
+                var getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_INSIGNIA_REPORT");
+                var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+                if (jsonData["status"]?.ToString() != "200")
+                {
+                    return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+                }
+
                 //Guid ids = Guid.Parse(id);  
                 var data = await _repository.GetCoinReport(id);
                 var YearInsignalPeriod = await _repository.GetYearInsigniaPeriod(id);
diff --git a/BMA.EHR.Retirement.Service/Controllers/RetirementOtherController.cs b/BMA.EHR.Retirement.Service/Controllers/RetirementOtherController.cs
index 3138d35e..a3b2ec1a 100644
--- a/BMA.EHR.Retirement.Service/Controllers/RetirementOtherController.cs
+++ b/BMA.EHR.Retirement.Service/Controllers/RetirementOtherController.cs
@@ -70,6 +70,7 @@ namespace BMA.EHR.Retirement.Service.Controllers
         /// <response code="500">เมื่อเกิดข้อผิดพลาดในการทำงาน</response>
         [HttpGet()]
         public async Task<ActionResult<ResponseObject>> GetListByAdmin()
+        // public async Task<ActionResult<ResponseObject>> GetListByAdmin(int page = 1, int pageSize = 10, string keyword = "")
         {
             var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_PLACEMENT_OTHER");
             var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
@@ -146,6 +147,25 @@ namespace BMA.EHR.Retirement.Service.Controllers
                                     CommandType = p.CommandType == null ? null : p.CommandType.Name,
                                 })
                             .ToListAsync();
+                // if (keyword != "")
+                // {
+                //     var data = retirementOthers.Where(x =>
+                //             (x.prefix != null && x.prefix.Contains(keyword)) ||
+                //             (x.firstName != null && x.firstName.Contains(keyword)) ||
+                //             (x.lastName != null && x.lastName.Contains(keyword)) ||
+                //             (x.rootShortNameOld != null && x.rootShortNameOld.Contains(keyword)) ||
+                //             (x.posMasterNoOld != null && x.posMasterNoOld.ToString().Contains(keyword)) ||
+                //             (x.posTypeNameOld != null && x.posTypeNameOld.Contains(keyword)) ||
+                //             (x.posLevelNameOld != null && x.posLevelNameOld.Contains(keyword)) ||
+                //             (x.OrganizationPositionOld != null && x.OrganizationPositionOld.Contains(keyword)) ||
+                //             (x.Reason != null && x.Reason.Contains(keyword)))
+                //         .OrderByDescending(x => x.CreatedAt)
+                //         .Skip((page - 1) * pageSize)
+                //         .Take(pageSize)
+                //     .ToList();
+
+                //     retirementOthers = data;
+                // }
 
                 return Success(retirementOthers);
             }
diff --git a/BMA.EHR.Retirement.Service/Controllers/RetirementResignController.cs b/BMA.EHR.Retirement.Service/Controllers/RetirementResignController.cs
index 774a529f..5013adeb 100644
--- a/BMA.EHR.Retirement.Service/Controllers/RetirementResignController.cs
+++ b/BMA.EHR.Retirement.Service/Controllers/RetirementResignController.cs
@@ -1453,7 +1453,7 @@ $"คำขอลาออกของ {updated.prefix}{updated.firstName} {upda
         }
 
         /// <summary>
-        /// list คำถาม
+        /// list คำถาม (USER)
         /// </summary>
         /// <returns></returns>
         /// <response code="200"></response>
@@ -1463,12 +1463,12 @@ $"คำขอลาออกของ {updated.prefix}{updated.firstName} {upda
         [HttpGet("questionnaire/question")]
         public async Task<ActionResult<ResponseObject>> GetQuestionnaireQuestion()
         {
-            var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_RESIGN_INTERVIEW");
-            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
-            if (jsonData["status"]?.ToString() != "200")
-            {
-                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
-            }
+            //var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_RESIGN_INTERVIEW");
+            //var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            //if (jsonData["status"]?.ToString() != "200")
+            //{
+            //    return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            //}
             var retirementQuestionnaireQuestion = await _context.RetirementQuestionnaireQuestions.AsQueryable()
                             .Select(x => new
                             {
@@ -1570,5 +1570,63 @@ $"คำขอลาออกของ {updated.prefix}{updated.firstName} {upda
 
             return Success();
         }
+
+        /// <summary>
+        /// list คำถาม (ADMIN)
+        /// </summary>
+        /// <returns></returns>
+        /// <response code="200"></response>
+        /// <response code="400">ค่าตัวแปรที่ส่งมาไม่ถูกต้อง</response>
+        /// <response code="401">ไม่ได้ Login เข้าระบบ</response>
+        /// <response code="500">เมื่อเกิดข้อผิดพลาดในการทำงาน</response>
+        [HttpGet("questionnaire/question/admin")]
+        public async Task<ActionResult<ResponseObject>> GetQuestionnaireQuestionAdmin()
+        {
+            var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_RESIGN_INTERVIEW");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
+            var retirementQuestionnaireQuestion = await _context.RetirementQuestionnaireQuestions.AsQueryable()
+                            .Select(x => new
+                            {
+                                Question1Desc = x.Question1Desc,
+                                Question1Score = x.Question1Score,
+                                Question1Answer = x.Question1Answer == null ? null : JsonConvert.DeserializeObject<List<string>>(x.Question1Answer),
+                                Question2Desc = x.Question2Desc,
+                                Question2Score = x.Question2Score,
+                                Question2Answer = x.Question2Answer == null ? null : JsonConvert.DeserializeObject<List<string>>(x.Question2Answer),
+                                Question3Desc = x.Question3Desc,
+                                Question3Score = x.Question3Score,
+                                Question3Answer = x.Question3Answer == null ? null : JsonConvert.DeserializeObject<List<string>>(x.Question3Answer),
+                                Question4Desc = x.Question4Desc,
+                                Question4Score = x.Question4Score,
+                                Question4Answer = x.Question4Answer == null ? null : JsonConvert.DeserializeObject<List<string>>(x.Question4Answer),
+                                Question5Desc = x.Question5Desc,
+                                Question5Score = x.Question5Score,
+                                Question5Answer = x.Question5Answer == null ? null : JsonConvert.DeserializeObject<List<string>>(x.Question5Answer),
+                                Question6Desc = x.Question6Desc,
+                                Question6Score = x.Question6Score,
+                                Question6Answer = x.Question6Answer == null ? null : JsonConvert.DeserializeObject<List<string>>(x.Question6Answer),
+                                Question7Desc = x.Question7Desc,
+                                Question7Score = x.Question7Score,
+                                Question7Answer = x.Question7Answer == null ? null : JsonConvert.DeserializeObject<List<string>>(x.Question7Answer),
+                                Question8Desc = x.Question8Desc,
+                                Question8Score = x.Question8Score,
+                                Question8Answer = x.Question8Answer == null ? null : JsonConvert.DeserializeObject<List<string>>(x.Question8Answer),
+                                Question9Desc = x.Question9Desc,
+                                Question9Score = x.Question9Score,
+                                Question9Answer = x.Question9Answer == null ? null : JsonConvert.DeserializeObject<List<string>>(x.Question9Answer),
+                                Question10Desc = x.Question10Desc,
+                                Question10Score = x.Question10Score,
+                                Question10Answer = x.Question10Answer == null ? null : JsonConvert.DeserializeObject<List<string>>(x.Question10Answer),
+                            })
+                            .FirstOrDefaultAsync();
+            if (retirementQuestionnaireQuestion == null)
+                return Error(GlobalMessages.RetirementQuestionNotFound);
+
+            return Success(retirementQuestionnaireQuestion);
+        }
     }
 }