diff --git a/src/controllers/PositionController.ts b/src/controllers/PositionController.ts
index d8aee369..d8e9bd7e 100644
--- a/src/controllers/PositionController.ts
+++ b/src/controllers/PositionController.ts
@@ -38,7 +38,7 @@ import { EmployeePosLevel } from "../entities/EmployeePosLevel";
 import { AuthRole } from "../entities/AuthRole";
 import { RequestWithUser } from "../middlewares/user";
 import permission from "../interfaces/permission";
-import { setLogDataDiff } from "../interfaces/utils";
+import { resolveNodeLevel, setLogDataDiff } from "../interfaces/utils";
 import { PosMasterAssign } from "../entities/PosMasterAssign";
 import { Assign } from "../entities/Assign";
 import { ProfileEmployee } from "../entities/ProfileEmployee";
@@ -5272,9 +5272,45 @@ export class PositionController extends Controller {
     let searchShortName3 = `CONCAT(orgChild3.orgChild3ShortName," ",COALESCE(posMaster.posMasterNoPrefix, ""),posMaster.posMasterNo,COALESCE(posMaster.posMasterNoSuffix, ""))`;
     let searchShortName4 = `CONCAT(orgChild4.orgChild4ShortName," ",COALESCE(posMaster.posMasterNoPrefix, ""),posMaster.posMasterNo,COALESCE(posMaster.posMasterNoSuffix, ""))`;
     let _data = await new permission().PermissionOrgList(request, "SYS_POS_CONDITION");
+    const orgDna = await new permission().checkDna(request, request.user.sub);
+    let level: any = resolveNodeLevel(orgDna);
+
+    const cannotViewRootPosMaster =
+      (_data.privilege === "ROOT" && level > 0) ||
+      (_data.privilege === "PARENT") ||
+      (_data.privilege === "BROTHER" && level > 1) ||
+      (_data.privilege === "CHILD" && level > 0) ||
+      (_data.privilege === "NORMAL" && level != 0);
+
+    const cannotViewChild1PosMaster =
+      (_data.privilege === "ROOT" && level > 1) ||
+      (_data.privilege === "PARENT" && level > 1) ||
+      (_data.privilege === "BROTHER" && level > 2) ||
+      (_data.privilege === "CHILD" && level > 1) ||
+      (_data.privilege === "NORMAL" && level !== 1);
+
+    const cannotViewChild2PosMaster =
+      (_data.privilege === "ROOT" && level > 2) ||
+      (_data.privilege === "PARENT" && level > 2) ||
+      (_data.privilege === "BROTHER" && level > 3) ||
+      (_data.privilege === "CHILD" && level > 2) ||
+      (_data.privilege === "NORMAL" && level !== 2);
+
+    const cannotViewChild3PosMaster =
+      (_data.privilege === "ROOT" && level > 3) ||
+      (_data.privilege === "PARENT" && level > 3) ||
+      (_data.privilege === "BROTHER" && level > 4) ||
+      (_data.privilege === "CHILD" && level > 3) ||
+      (_data.privilege === "NORMAL" && level !== 3);
+
+    const cannotViewChild4PosMaster =
+      (_data.privilege === "PARENT" && level > 4) ||
+      (_data.privilege === "CHILD" && level > 4) ||
+      (_data.privilege === "NORMAL" && level !== 4);
+
     if (body.type === 0) {
       typeCondition = {
-        orgRootId: body.id,
+        ...(cannotViewRootPosMaster ? { orgRootId: null } : { orgRootId: body.id }),
       };
       if (!body.isAll) {
         checkChildConditions = {
@@ -5285,7 +5321,7 @@ export class PositionController extends Controller {
       }
     } else if (body.type === 1) {
       typeCondition = {
-        orgChild1Id: body.id,
+        ...(cannotViewChild1PosMaster ? { orgChild1Id: null } : { orgChild1Id: body.id }),
       };
       if (!body.isAll) {
         checkChildConditions = {
@@ -5296,7 +5332,7 @@ export class PositionController extends Controller {
       }
     } else if (body.type === 2) {
       typeCondition = {
-        orgChild2Id: body.id,
+        ...(cannotViewChild2PosMaster ? { orgChild2Id: null } : { orgChild2Id: body.id }),
       };
       if (!body.isAll) {
         checkChildConditions = {
@@ -5307,7 +5343,7 @@ export class PositionController extends Controller {
       }
     } else if (body.type === 3) {
       typeCondition = {
-        orgChild3Id: body.id,
+        ...(cannotViewChild3PosMaster ? { orgChild3Id: null } : { orgChild3Id: body.id }),
       };
       if (!body.isAll) {
         checkChildConditions = {
@@ -5318,7 +5354,7 @@ export class PositionController extends Controller {
       }
     } else if (body.type === 4) {
       typeCondition = {
-        orgChild4Id: body.id,
+        ...(cannotViewChild4PosMaster ? { orgChild4Id: null } : { orgChild4Id: body.id }),
       };
       searchShortName = `CONCAT(orgChild4.orgChild4ShortName," ",COALESCE(posMaster.posMasterNoPrefix, ""),posMaster.posMasterNo,COALESCE(posMaster.posMasterNoSuffix, "")) like '%${body.keyword}%'`;
     }
@@ -5403,56 +5439,56 @@ export class PositionController extends Controller {
       .leftJoinAndSelect("current_holder.posType", "posType")
       .leftJoinAndSelect("current_holder.posLevel", "posLevel")
       .where(conditions)
-      .andWhere(
-        _data.root != undefined && _data.root != null
-          ? _data.root[0] != null
-            ? `posMaster.orgRootId IN (:...root)`
-            : `posMaster.orgRootId is null`
-          : "1=1",
-        {
-          root: _data.root,
-        },
-      )
-      .andWhere(
-        _data.child1 != undefined && _data.child1 != null
-          ? _data.child1[0] != null
-            ? `posMaster.orgChild1Id IN (:...child1)`
-            : `posMaster.orgChild1Id is ${_data.privilege == "PARENT" ? "not null" : "null"}`
-          : "1=1",
-        {
-          child1: _data.child1,
-        },
-      )
-      .andWhere(
-        _data.child2 != undefined && _data.child2 != null
-          ? _data.child2[0] != null
-            ? `posMaster.orgChild2Id IN (:...child2)`
-            : `posMaster.orgChild2Id is null`
-          : "1=1",
-        {
-          child2: _data.child2,
-        },
-      )
-      .andWhere(
-        _data.child3 != undefined && _data.child3 != null
-          ? _data.child3[0] != null
-            ? `posMaster.orgChild3Id IN (:...child3)`
-            : `posMaster.orgChild3Id is null`
-          : "1=1",
-        {
-          child3: _data.child3,
-        },
-      )
-      .andWhere(
-        _data.child4 != undefined && _data.child4 != null
-          ? _data.child4[0] != null
-            ? `posMaster.orgChild4Id IN (:...child4)`
-            : `posMaster.orgChild4Id is null`
-          : "1=1",
-        {
-          child4: _data.child4,
-        },
-      )
+      // .andWhere(
+      //   _data.root != undefined && _data.root != null
+      //     ? _data.root[0] != null
+      //       ? `posMaster.orgRootId IN (:...root)`
+      //       : `posMaster.orgRootId is null`
+      //     : "1=1",
+      //   {
+      //     root: _data.root,
+      //   },
+      // )
+      // .andWhere(
+      //   _data.child1 != undefined && _data.child1 != null
+      //     ? _data.child1[0] != null
+      //       ? `posMaster.orgChild1Id IN (:...child1)`
+      //       : `posMaster.orgChild1Id is ${_data.privilege == "PARENT" ? "not null" : "null"}`
+      //     : "1=1",
+      //   {
+      //     child1: _data.child1,
+      //   },
+      // )
+      // .andWhere(
+      //   _data.child2 != undefined && _data.child2 != null
+      //     ? _data.child2[0] != null
+      //       ? `posMaster.orgChild2Id IN (:...child2)`
+      //       : `posMaster.orgChild2Id is null`
+      //     : "1=1",
+      //   {
+      //     child2: _data.child2,
+      //   },
+      // )
+      // .andWhere(
+      //   _data.child3 != undefined && _data.child3 != null
+      //     ? _data.child3[0] != null
+      //       ? `posMaster.orgChild3Id IN (:...child3)`
+      //       : `posMaster.orgChild3Id is null`
+      //     : "1=1",
+      //   {
+      //     child3: _data.child3,
+      //   },
+      // )
+      // .andWhere(
+      //   _data.child4 != undefined && _data.child4 != null
+      //     ? _data.child4[0] != null
+      //       ? `posMaster.orgChild4Id IN (:...child4)`
+      //       : `posMaster.orgChild4Id is null`
+      //     : "1=1",
+      //   {
+      //     child4: _data.child4,
+      //   },
+      // )
       .orWhere(
         new Brackets((qb) => {
           qb.andWhere(