diff --git a/BMA.EHR.Insignia/Controllers/InsigniaRequestController.cs b/BMA.EHR.Insignia/Controllers/InsigniaRequestController.cs
index 912e88d0..de5fe6b5 100644
--- a/BMA.EHR.Insignia/Controllers/InsigniaRequestController.cs
+++ b/BMA.EHR.Insignia/Controllers/InsigniaRequestController.cs
@@ -1854,7 +1854,7 @@ namespace BMA.EHR.Insignia.Service.Controllers
         [HttpPut("note/doc/{insigniaNoteId:length(36)}")]
         public async Task<ActionResult<ResponseObject>> AddDocumentProfile([FromForm] InsigniaNoteDocRequest req, Guid insigniaNoteId)
         {
-            var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_INSIGNIA_RECORD");
+            var getPermission = await _permission.GetPermissionAPIAsync("UPDATE", "SYS_INSIGNIA_RECORD");
             var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
             if (jsonData["status"]?.ToString() != "200")
             {
@@ -1908,6 +1908,12 @@ namespace BMA.EHR.Insignia.Service.Controllers
         [HttpGet("note/doc/{insigniaNoteId:length(36)}")]
         public async Task<ActionResult<ResponseObject>> GetDocumentProfile(Guid insigniaNoteId)
         {
+            var getPermission = await _permission.GetPermissionAPIAsync("LIST", "SYS_INSIGNIA_RECORD");
+            var jsonData = JsonConvert.DeserializeObject<JObject>(getPermission);
+            if (jsonData["status"]?.ToString() != "200")
+            {
+                return Error(jsonData["message"]?.ToString(), StatusCodes.Status403Forbidden);
+            }
             var insigniaNote = await _context.InsigniaNotes
                                     .Include(x => x.InsigniaNoteDocs)
                                     .ThenInclude(x => x.Document)