diff --git a/BMA.EHR.Leave/Controllers/LeaveRequestController.cs b/BMA.EHR.Leave/Controllers/LeaveRequestController.cs
index 9dd6664f..4e38fcae 100644
--- a/BMA.EHR.Leave/Controllers/LeaveRequestController.cs
+++ b/BMA.EHR.Leave/Controllers/LeaveRequestController.cs
@@ -1314,6 +1314,12 @@ namespace BMA.EHR.Leave.Service.Controllers
         public async Task<ActionResult<ResponseObject>> ApproveCancelLeaveRequestAsync(Guid id,
             [FromBody] CancelLeaveRequestApproveDto req)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("UPDATE", "SYS_LEAVE_LIST");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             await _leaveRequestRepository.ApproveCancelLeaveRequestAsync(id, req.Reason ?? "");
 
             return Success();
@@ -1335,6 +1341,12 @@ namespace BMA.EHR.Leave.Service.Controllers
         public async Task<ActionResult<ResponseObject>> RejectCancelLeaveRequestAsync(Guid id,
             [FromBody] CancelLeaveRequestApproveDto req)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("UPDATE", "SYS_LEAVE_LIST");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             await _leaveRequestRepository.RejectCancelLeaveRequestAsync(id, req.Reason ?? "");
 
             return Success();
@@ -1380,6 +1392,12 @@ namespace BMA.EHR.Leave.Service.Controllers
         public async Task<ActionResult<ResponseObject>> CommanderApproveLeaveRequestAsync(Guid id,
             [FromBody] LeaveRequestApproveDto req)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("UPDATE", "SYS_LEAVE_LIST");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             await _leaveRequestRepository.CommanderApproveLeaveRequest(id, req.Reason ?? "");
 
             return Success();
@@ -1400,6 +1418,12 @@ namespace BMA.EHR.Leave.Service.Controllers
         public async Task<ActionResult<ResponseObject>> ApproveLeaveRequestAsync(Guid id,
             [FromBody] LeaveRequestApproveDto req)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("UPDATE", "SYS_LEAVE_LIST");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             await _leaveRequestRepository.ApproveLeaveRequest(id, req.Reason ?? "");
 
             return Success();
@@ -1440,6 +1464,12 @@ namespace BMA.EHR.Leave.Service.Controllers
         public async Task<ActionResult<ResponseObject>> RejectLeaveRequestAsync(Guid id,
             [FromBody] LeaveRequestApproveDto req)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("UPDATE", "SYS_LEAVE_LIST");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             await _leaveRequestRepository.RejectLeaveRequest(id, req.Reason ?? "");
 
             return Success();
diff --git a/BMA.EHR.Placement.Service/Controllers/PlacementTransferController.cs b/BMA.EHR.Placement.Service/Controllers/PlacementTransferController.cs
index 1649108c..000adcf0 100644
--- a/BMA.EHR.Placement.Service/Controllers/PlacementTransferController.cs
+++ b/BMA.EHR.Placement.Service/Controllers/PlacementTransferController.cs
@@ -532,7 +532,7 @@ namespace BMA.EHR.Placement.Service.Controllers
                 placementTransfer.posTypeNameOld = org.result.posTypeName;
                 placementTransfer.posLevelOldId = org.result.posLevelId;
                 placementTransfer.posLevelNameOld = org.result.posLevelName;
-
+                placementTransfer.AmountOld = org.result.salary;
                 placementTransfer.PositionOld = org.result.position;
                 placementTransfer.PositionLevelOld = org.result.posLevelName;
                 placementTransfer.PositionTypeOld = org.result.posTypeName;
diff --git a/BMA.EHR.Placement.Service/Requests/OrgRequest.cs b/BMA.EHR.Placement.Service/Requests/OrgRequest.cs
index f0d858e4..54263203 100644
--- a/BMA.EHR.Placement.Service/Requests/OrgRequest.cs
+++ b/BMA.EHR.Placement.Service/Requests/OrgRequest.cs
@@ -40,5 +40,7 @@ namespace BMA.EHR.Placement.Service.Requests
         public string? posTypeName { get; set; }
         public string? posLevelId { get; set; }
         public string? posLevelName { get; set; }
+        public double? salary { get; set; }
+
     }
 }
\ No newline at end of file