diff --git a/src/controllers/KpiPeriodController.ts b/src/controllers/KpiPeriodController.ts
index cb86749..58ebd8f 100644
--- a/src/controllers/KpiPeriodController.ts
+++ b/src/controllers/KpiPeriodController.ts
@@ -28,6 +28,8 @@ import { KpiUserRole } from "../entities/kpiUserRole";
 import { KpiUserPlanned } from "../entities/kpiUserPlanned";
 import { KpiUserCapacity } from "../entities/kpiUserCapacity";
 import { KpiUserSpecial } from "../entities/kpiUserSpecial";
+import { RequestWithUser } from "../middlewares/user";
+import permission from "../interfaces/permission";
 
 @Route("api/v1/kpi/period")
 @Tags("kpiPeriod")
@@ -59,8 +61,9 @@ export class kpiPeriodController extends Controller {
   })
   async createKpi(
     @Body() requestBody: createKpiPeriod,
-    @Request() request: { user: Record<string, any> },
+    @Request() request: RequestWithUser,
   ) {
+    await new permission().PermissionCreate(request, "SYS_KPI_ROUND");
     const chkkpiPeriod = await this.kpiPeriodRepository.findOne({
       where: {
         durationKPI: requestBody.durationKPI,
@@ -90,8 +93,9 @@ export class kpiPeriodController extends Controller {
   async updateKpiPeriod(
     @Path() id: string,
     @Body() requestBody: updateKpiPeriod,
-    @Request() request: { user: Record<string, any> },
+    @Request() request: RequestWithUser,
   ) {
+    await new permission().PermissionUpdate(request, "SYS_KPI_ROUND");
     const kpiPeriod = await this.kpiPeriodRepository.findOne({
       where: { id: id },
     });
@@ -229,7 +233,8 @@ export class kpiPeriodController extends Controller {
    * @param id
    */
   @Delete("{id}")
-  async deleteKpiPeriod(@Path() id: string) {
+  async deleteKpiPeriod(@Path() id: string, @Request() request: RequestWithUser) {
+    await new permission().PermissionDelete(request, "SYS_KPI_ROUND");
     const kpiPeriod = await this.kpiPeriodRepository.findOne({
       where: { id: id },
     });
diff --git a/src/controllers/KpiUserCapacityController.ts b/src/controllers/KpiUserCapacityController.ts
index dd0bc7e..c603464 100644
--- a/src/controllers/KpiUserCapacityController.ts
+++ b/src/controllers/KpiUserCapacityController.ts
@@ -25,6 +25,9 @@ import { KpiUserEvaluation } from "../entities/kpiUserEvaluation";
 import { KpiUserCapacity, KpiUserCapacityDataPoint } from "../entities/kpiUserCapacity";
 import { Like, In, Not } from "typeorm";
 import { Double } from "typeorm/browser";
+import { RequestWithUser } from "../middlewares/user";
+import permission from "../interfaces/permission";
+import { request } from "axios";
 
 @Route("api/v1/kpi/user/capacity")
 @Tags("kpiUserCapacity")
@@ -55,8 +58,9 @@ export class KpiUserCapacityController extends Controller {
       level: string | null;
       weight: number;
     },
-    @Request() request: { user: Record<string, any> },
+    @Request() request: RequestWithUser,
   ) {
+    await new permission().PermissionCreate(request, "SYS_KPI_LIST");
     const kpiUserEvalution = await this.kpiUserEvalutionRepository.findOne({
       where: { id: requestBody.kpiUserEvaluationId },
     });
@@ -110,8 +114,9 @@ export class KpiUserCapacityController extends Controller {
       level: string;
       weight: number;
     },
-    @Request() request: { user: Record<string, any> },
+    @Request() request: RequestWithUser,
   ) {
+    await new permission().PermissionUpdate(request, "SYS_KPI_LIST");
     const kpiUserEvalution = await this.kpiUserEvalutionRepository.findOne({
       where: { id: requestBody.kpiUserEvaluationId },
     });
@@ -229,7 +234,8 @@ export class KpiUserCapacityController extends Controller {
    * @param {string} id  Guid, *Id องค์ประกอบที่ 2 พฤติกรรมการปฎิบัติราชการ (สมรรถนะ) (USER)
    */
   @Delete("{id}")
-  async deleteKpiUserCapacity(@Path() id: string) {
+  async deleteKpiUserCapacity(@Path() id: string, @Request() request: RequestWithUser) {
+    await new permission().PermissionDelete(request, "SYS_KPI_LIST");
     const kpiUserCapacity = await this.kpiUserCapacityRepository.findOne({
       where: { id: id },
     });
@@ -253,8 +259,9 @@ export class KpiUserCapacityController extends Controller {
   @Post("point")
   async CreateKpiUserCapacityPoint(
     @Body() requestBody: KpiUserCapacityDataPoint[],
-    @Request() request: { user: Record<string, any> },
+    @Request() request: RequestWithUser,
   ) {
+    await new permission().PermissionCreate(request, "SYS_KPI_LIST");
     for (const item of requestBody) {
       const kpiUserCapacity = await this.kpiUserCapacityRepository.findOne({
         where: { id: item.id },
diff --git a/src/controllers/KpiUserDevelopmentController.ts b/src/controllers/KpiUserDevelopmentController.ts
index 40d3140..6f93da2 100644
--- a/src/controllers/KpiUserDevelopmentController.ts
+++ b/src/controllers/KpiUserDevelopmentController.ts
@@ -27,6 +27,8 @@ import HttpError from "../interfaces/http-error";
 import { KpiUserEvaluation } from "../entities/kpiUserEvaluation";
 import { Not, Like, Brackets } from "typeorm";
 import { DevelopmentProject } from "../entities/developmentProject";
+import { RequestWithUser } from "../middlewares/user";
+import permission from "../interfaces/permission";
 
 @Route("api/v1/kpi/user/achievement/development")
 @Tags("KpiUserDevelopment")
@@ -51,8 +53,9 @@ export class KpiUserDevelopmentController extends Controller {
   async createKpiUserDevelopment(
     @Body()
     requestBody: CreateKpiUserDevelopment,
-    @Request() request: { user: Record<string, any> },
+    @Request() request: RequestWithUser,
   ) {
+    await new permission().PermissionCreate(request, "SYS_KPI_LIST");
     const chkUserEvaluation = await this.kpiUserEvaluationRepository.findOne({
       where: { id: requestBody.kpiUserEvaluationId },
     });
@@ -122,8 +125,9 @@ export class KpiUserDevelopmentController extends Controller {
   async editKpiUserDevelopment(
     @Path() id: string,
     @Body() requestBody: UpdateKpiUserDevelopment,
-    @Request() request: { user: Record<string, any> },
+    @Request() request: RequestWithUser,
   ) {
+    await new permission().PermissionUpdate(request, "SYS_KPI_LIST");
     const kpiUserDevelopment = await this.kpiUserDevelopmentRepository.findOne({
       where: { id },
       relations: {
@@ -195,7 +199,8 @@ export class KpiUserDevelopmentController extends Controller {
    *
    */
   @Delete("{id}")
-  async deleteKpiUserDevelopment(@Path() id: string) {
+  async deleteKpiUserDevelopment(@Path() id: string, @Request() request: RequestWithUser) {
+    await new permission().PermissionDelete(request, "SYS_KPI_LIST");
     const delKpiUserDevelopment = await this.kpiUserDevelopmentRepository.findOne({
       where: { id },
       relations: ["developmentProjects"],
@@ -293,8 +298,9 @@ export class KpiUserDevelopmentController extends Controller {
   @Post("point")
   async CreateKpiUserDevelopmentPoint(
     @Body() requestBody: KpiUserDevelopmentDataPoint[],
-    @Request() request: { user: Record<string, any> },
+    @Request() request: RequestWithUser,
   ) {
+    await new permission().PermissionCreate(request, "SYS_KPI_LIST");
     for (const item of requestBody) {
       const kpiUserDevelopment = await this.kpiUserDevelopmentRepository.findOne({
         where: { id: item.id },
diff --git a/src/controllers/KpiUserEvaluationController.ts b/src/controllers/KpiUserEvaluationController.ts
index 1a6b7ca..8e86152 100644
--- a/src/controllers/KpiUserEvaluationController.ts
+++ b/src/controllers/KpiUserEvaluationController.ts
@@ -37,6 +37,8 @@ import { KpiCapacity } from "../entities/kpiCapacity";
 import { Position } from "../entities/position";
 import { KpiLink } from "../entities/kpiLink";
 import { KpiGroup } from "../entities/kpiGroup";
+import { RequestWithUser } from "../middlewares/user";
+import permission from "../interfaces/permission";
 
 @Route("api/v1/kpi/user/evaluation")
 @Tags("kpiUserEvaluation")
@@ -313,8 +315,9 @@ export class KpiUserEvaluationController extends Controller {
   @Post()
   async CreateKpiUserEvaluation(
     @Body() requestBody: createKpiUserEvaluation,
-    @Request() request: { user: Record<string, any> },
+    @Request() request: RequestWithUser,
   ) {
+    await new permission().PermissionCreate(request, "SYS_KPI_LIST");
     const kpiPeriod = await this.kpiPeriodRepository.findOne({
       where: { id: requestBody.kpiPeriodId },
     });
@@ -1376,8 +1379,9 @@ export class KpiUserEvaluationController extends Controller {
     requestBody: {
       id: string[];
     },
-    @Request() request: { user: Record<string, any> },
+    @Request() request: RequestWithUser,
   ) {
+    await new permission().PermissionCreate(request, "SYS_RESULT");
     const kpiUserEvaluations = await this.kpiUserEvalutionRepository.find({
       where: { id: In(requestBody.id) },
     });
diff --git a/src/controllers/KpiUserPlannedController.ts b/src/controllers/KpiUserPlannedController.ts
index 2479236..14c6641 100644
--- a/src/controllers/KpiUserPlannedController.ts
+++ b/src/controllers/KpiUserPlannedController.ts
@@ -29,6 +29,8 @@ import HttpError from "../interfaces/http-error";
 import { Not } from "typeorm";
 import { KpiUserEvaluation } from "../entities/kpiUserEvaluation";
 import { KpiPlan } from "../entities/kpiPlan";
+import { RequestWithUser } from "../middlewares/user";
+import permission from "../interfaces/permission";
 
 @Route("api/v1/kpi/user/achievement/planned")
 @Tags("KpiUserPlanned")
@@ -53,8 +55,9 @@ export class KpiUserPlannedController extends Controller {
   async createKpiUserPlanned(
     @Body()
     requestBody: CreateKpiUserPlanned,
-    @Request() request: { user: Record<string, any> },
+    @Request() request: RequestWithUser,
   ) {
+    await new permission().PermissionCreate(request, "SYS_KPI_LIST");
     const chkUserEvaluation = await this.kpiUserEvaluationRepository.findOne({
       where: { id: requestBody.kpiUserEvaluationId },
     });
@@ -116,8 +119,9 @@ export class KpiUserPlannedController extends Controller {
   async editKpiUserPlanned(
     @Path() id: string,
     @Body() requestBody: UpdateKpiUserPlanned,
-    @Request() request: { user: Record<string, any> },
+    @Request() request: RequestWithUser,
   ) {
+    await new permission().PermissionUpdate(request, "SYS_KPI_LIST");
     const kpiUserPlanned = await this.kpiUserPlannedRepository.findOne({ where: { id } });
     if (!kpiUserPlanned) {
       throw new HttpError(HttpStatusCode.NOT_FOUND, "ไม่พบข้อมูลงานตามแผนปฏิบัติราชการประจำปีนี้");
@@ -163,7 +167,8 @@ export class KpiUserPlannedController extends Controller {
    * @param {string} id  Id ตำแหน่ง
    */
   @Delete("{id}")
-  async deleteKpiUserPlanned(@Path() id: string) {
+  async deleteKpiUserPlanned(@Path() id: string, @Request() request: RequestWithUser) {
+    await new permission().PermissionDelete(request, "SYS_KPI_LIST");
     const delKpiUserPlanned = await this.kpiUserPlannedRepository.findOne({ where: { id } });
     if (!delKpiUserPlanned) {
       throw new HttpError(HttpStatusCode.NOT_FOUND, "ไม่พบข้อมูลงานตามแผนปฏิบัติราชการประจำปีนี้");
@@ -274,8 +279,9 @@ export class KpiUserPlannedController extends Controller {
   @Post("point")
   async CreateKpiUserPlannedPoint(
     @Body() requestBody: KpiUserPlannedDataPoint[],
-    @Request() request: { user: Record<string, any> },
+    @Request() request: RequestWithUser,
   ) {
+    await new permission().PermissionCreate(request, "SYS_KPI_LIST");
     for (const item of requestBody) {
       const kpiUserPlanned = await this.kpiUserPlannedRepository.findOne({
         where: { id: item.id },
diff --git a/src/controllers/KpiUserRoleController.ts b/src/controllers/KpiUserRoleController.ts
index c7697f6..0b70932 100644
--- a/src/controllers/KpiUserRoleController.ts
+++ b/src/controllers/KpiUserRoleController.ts
@@ -29,6 +29,8 @@ import HttpError from "../interfaces/http-error";
 import { Not } from "typeorm";
 import { KpiUserEvaluation } from "../entities/kpiUserEvaluation";
 import { KpiRole } from "../entities/kpiRole";
+import { RequestWithUser } from "../middlewares/user";
+import permission from "../interfaces/permission";
 
 @Route("api/v1/kpi/user/achievement/role")
 @Tags("KpiUserRole")
@@ -53,8 +55,9 @@ export class KpiUserRoleController extends Controller {
   async createKpiUserRole(
     @Body()
     requestBody: CreateKpiUserRole,
-    @Request() request: { user: Record<string, any> },
+    @Request() request: RequestWithUser,
   ) {
+    await new permission().PermissionCreate(request, "SYS_KPI_LIST");
     const chkUserEvaluation = await this.kpiUserEvaluationRepository.findOne({
       where: { id: requestBody.kpiUserEvaluationId },
     });
@@ -111,8 +114,9 @@ export class KpiUserRoleController extends Controller {
   async editKpiUserRole(
     @Path() id: string,
     @Body() requestBody: UpdateKpiUserRole,
-    @Request() request: { user: Record<string, any> },
+    @Request() request: RequestWithUser,
   ) {
+    await new permission().PermissionUpdate(request, "SYS_KPI_LIST");
     const kpiUserRole = await this.kpiUserRoleRepository.findOne({ where: { id } });
     if (!kpiUserRole) {
       throw new HttpError(HttpStatusCode.NOT_FOUND, "ไม่พบข้อมูลงานตามหน้าที่ความรับผิดชอบหลักนี้");
@@ -165,7 +169,8 @@ export class KpiUserRoleController extends Controller {
    * @param {string} id  Id ตำแหน่ง
    */
   @Delete("{id}")
-  async deleteKpiUserRole(@Path() id: string) {
+  async deleteKpiUserRole(@Path() id: string, @Request() request: RequestWithUser) {
+    await new permission().PermissionDelete(request, "SYS_KPI_LIST");
     const delKpiUserRole = await this.kpiUserRoleRepository.findOne({ where: { id } });
     if (!delKpiUserRole) {
       throw new HttpError(HttpStatusCode.NOT_FOUND, "ไม่พบข้อมูลงานตามหน้าที่ความรับผิดชอบหลักนี้");
@@ -277,8 +282,9 @@ export class KpiUserRoleController extends Controller {
   @Post("point")
   async CreateKpiUserRolePoint(
     @Body() requestBody: KpiUserRoleDataPoint[],
-    @Request() request: { user: Record<string, any> },
+    @Request() request: RequestWithUser,
   ) {
+    await new permission().PermissionCreate(request, "SYS_KPI_LIST");
     for (const item of requestBody) {
       const kpiUserRole = await this.kpiUserRoleRepository.findOne({
         where: { id: item.id },
diff --git a/src/controllers/KpiUserSpecialController.ts b/src/controllers/KpiUserSpecialController.ts
index ebbdd36..d8f57b6 100644
--- a/src/controllers/KpiUserSpecialController.ts
+++ b/src/controllers/KpiUserSpecialController.ts
@@ -27,6 +27,8 @@ import HttpError from "../interfaces/http-error";
 import { KpiUserEvaluation } from "../entities/kpiUserEvaluation";
 import { KpiSpecial } from "../entities/kpiSpecial";
 import { Not } from "typeorm";
+import { RequestWithUser } from "../middlewares/user";
+import permission from "../interfaces/permission";
 
 @Route("api/v1/kpi/user/achievement/special")
 @Tags("KpiUserSpecial")
@@ -51,8 +53,9 @@ export class KpiUserSpecialController extends Controller {
   async createKpiUserSpecial(
     @Body()
     requestBody: CreateKpiUserSpecial,
-    @Request() request: { user: Record<string, any> },
+    @Request() request: RequestWithUser,
   ) {
+    await new permission().PermissionCreate(request, "SYS_KPI_LIST");
     const chkUserEvaluation = await this.kpiUserEvaluationRepository.findOne({
       where: { id: requestBody.kpiUserEvaluationId },
     });
@@ -122,8 +125,9 @@ export class KpiUserSpecialController extends Controller {
   async editKpiUserSpecial(
     @Path() id: string,
     @Body() requestBody: UpdateKpiUserSpecial,
-    @Request() request: { user: Record<string, any> },
+    @Request() request: RequestWithUser,
   ) {
+    await new permission().PermissionUpdate(request, "SYS_KPI_LIST");
     const kpiUserSpecial = await this.kpiUserSpecialRepository.findOne({ where: { id } });
     if (!kpiUserSpecial) {
       throw new HttpError(HttpStatusCode.NOT_FOUND, "ไม่พบข้อมูลงานที่ได้รับมอบหมายพิเศษนี้");
@@ -188,7 +192,8 @@ export class KpiUserSpecialController extends Controller {
    *
    */
   @Delete("{id}")
-  async deleteKpiUserSpecial(@Path() id: string) {
+  async deleteKpiUserSpecial(@Path() id: string, @Request() request: RequestWithUser) {
+    await new permission().PermissionDelete(request, "SYS_KPI_LIST");
     const delKpiUserSpecial = await this.kpiUserSpecialRepository.findOne({ where: { id } });
     if (!delKpiUserSpecial) {
       throw new HttpError(HttpStatusCode.NOT_FOUND, "ไม่พบข้อมูลงานที่ได้รับมอบหมายพิเศษนี้");
@@ -310,8 +315,9 @@ export class KpiUserSpecialController extends Controller {
   @Post("point")
   async CreateKpiUserSpecialPoint(
     @Body() requestBody: KpiUserSpecialDataPoint[],
-    @Request() request: { user: Record<string, any> },
+    @Request() request: RequestWithUser,
   ) {
+    await new permission().PermissionCreate(request, "SYS_KPI_LIST");
     for (const item of requestBody) {
       const kpiUserSpecial = await this.kpiUserSpecialRepository.findOne({
         where: { id: item.id },