diff --git a/BMA.EHR.Retirement.Service/Controllers/RetirementController.cs b/BMA.EHR.Retirement.Service/Controllers/RetirementController.cs
index 610c2078..225a22b1 100644
--- a/BMA.EHR.Retirement.Service/Controllers/RetirementController.cs
+++ b/BMA.EHR.Retirement.Service/Controllers/RetirementController.cs
@@ -255,6 +255,12 @@ namespace BMA.EHR.Retirement.Service.Controllers
         [HttpGet("{type}/{year}")]
         public async Task<ActionResult<ResponseObject>> GetRetirement(string type, int year)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_RETIREMENT");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             if (type.Trim().ToUpper().Contains("OFFICER") || type.Trim().ToUpper().Contains("EMPLOYEE"))
             {
                 var retire_old = await _context.RetirementPeriodHistorys
@@ -742,6 +748,12 @@ namespace BMA.EHR.Retirement.Service.Controllers
         [HttpGet("{retireId:length(36)}")]
         public async Task<ActionResult<ResponseObject>> GetProfileRetirement(Guid retireId)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("GET", "SYS_RETIREMENT");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var retire = await _context.RetirementPeriods
                                 .Include(x => x.RetirementProfiles)
                                 .Include(x => x.Document)