diff --git a/internal/capabilities/capabilities.go b/internal/capabilities/capabilities.go
deleted file mode 100644
index 47f774ba..00000000
--- a/internal/capabilities/capabilities.go
+++ /dev/null
@@ -1,44 +0,0 @@
-package capabilities
-
-import (
-	"strings"
-
-	permission "gitlab.com/mbugroup/lti-api.git/internal/middleware"
-)
-
-// FromPermissions returns a filtered map of capabilities that the frontend can use
-// to toggle features. Only permissions recognized by the application are exposed.
-func FromPermissions(perms []string) map[string]bool {
-	if len(perms) == 0 {
-		return nil
-	}
-
-	out := make(map[string]bool)
-	for _, perm := range perms {
-		if key, ok := normalizeAndAllow(perm); ok {
-			out[key] = true
-		}
-	}
-	if len(out) == 0 {
-		return nil
-	}
-	return out
-}
-
-func normalizeAndAllow(perm string) (string, bool) {
-	perm = strings.ToLower(strings.TrimSpace(perm))
-	if perm == "" {
-		return "", false
-	}
-	if _, ok := allowed[perm]; !ok {
-		return "", false
-	}
-	return perm, true
-}
-
-var allowed = map[string]struct{}{
-	permission.PermissionRecordingRead:   {},
-	permission.PermissionRecordingCreate: {},
-	permission.PermissionRecordingUpdate: {},
-	permission.PermissionRecordingDelete: {},
-}
diff --git a/internal/middleware/permissions.go b/internal/middleware/permissions.go
index 928242a0..e715aae9 100644
--- a/internal/middleware/permissions.go
+++ b/internal/middleware/permissions.go
@@ -1,14 +1,199 @@
 package middleware
 
-//project-flock
+// project-flock
 const (
-	PermissionProjectFlockClosing = "lti:project-flock:closing"
+	P_ProjectFlockKandangsClosing = "lti.production.project_flock_kandangs.closing"
+	P_ProjectFlockKandangsGetAll  = "lti.production.project_flock_kandangs.list"
+	P_ProjectFlockKandangsGetOne  = "lti.production.project_flock_kandangs.detail"
+
+	P_ProjectFlockGetAll     = "lti.production.project_flocks.list"
+	P_ProjectFlockCreate     = "lti.production.project_flocks.create"
+	P_ProjectFlockGetOne     = "lti.production.project_flocks.detail"
+	P_ProjectFlockUpdate     = "lti.production.project_flocks.update"
+	P_ProjectFlockDelete     = "lti.production.project_flocks.delete"
+	P_ProjectFlockApprove    = "lti.production.project_flocks.approve"
+	P_ProjectFlockLookup     = "lti.production.project_flocks.lookup"
+	P_ProjectFlockNextPeriod = "lti.production.project_flocks.next_period"
+	P_ProjectFlockResubmit   = "lti.production.project_flocks.resubmit"
 )
 
-//recording
 const (
-	PermissionRecordingRead   = "recording.index"
-	PermissionRecordingCreate = "recording.create"
-	PermissionRecordingUpdate = "recording.update"
-	PermissionRecordingDelete = "recording.delete"
-)
\ No newline at end of file
+	P_ExpenseGetAll               = "lti.expense.list"
+	P_ExpenseCreateOne            = "lti.expense.create"
+	P_ExpenseUpdateOne            = "lti.expense.update"
+	P_ExpenseGetOne               = "lti.expense.detail"
+	P_ExpenseDeleteOne            = "lti.expense.delete"
+	P_ExpenseApprovalManager      = "lti.expense.approve.manager"
+	P_ExpenseApprovalFinance      = "lti.expense.approve.finance"
+	P_ExpenseCreateRealizations   = "lti.expense.create.realization"
+	P_ExpenseUpdateRealizations   = "lti.expense.update.realization"
+	P_ExpenseCompleteExpense      = "lti.expense.complete.expense"
+	P_ExpenseDocument             = "lti.expense.document"
+	P_ExpenseDocumentRealizations = "lti.expense.document.realization"
+)
+const (
+	P_AdjustmentGetAll = "lti.inventory.list"
+	P_AdjustmentCreate = "lti.inventory.create"
+	P_AdjustmentGetOne = "lti.inventory.detail"
+)
+const (
+	P_ApprovalGetAll = "lti.approval.list"
+)
+const (
+	P_ReportExpenseGetAll = "lti.repport.expense.list"
+	P_ReportDeliveryGetAll = "lti.repport.delivery.list"
+	P_ReportPurchaseSupplierGetAll = "lti.repport.purchasesupplier.list"
+)
+
+
+const (
+	P_ProductStockGetAll      = "lti.inventory.product_stock.list"
+	P_ProductStockGetOne      = "lti.inventory.product_stock.detail"
+	P_ProductWarehousekGetAll = "lti.inventory.product_warehouses.list"
+	P_ProductWarehouseGetOne  = "lti.inventory.product_warehouses.detail"
+)
+const (
+	P_ClosingGetAll     = "lti.closing.list"
+	P_ClosingPenjualan  = "lti.closing.penjualan"
+	P_ClosingGetSummary = "lti.closing.getsummary"
+	P_ClosingGetOverhead = "lti.closing.getoverhead"
+	P_ClosingCountSapronakKandang = "lti.closing.getsapronakcount.kandang"
+	P_ClosingCountSapronak = "lti.closing.getsapronakcount"
+	P_ClosingSapronak = "lti.closing.getsapronak"
+
+	P_ClosingExpeditionHpp = "lti.closing.expedition"
+	P_ClosingExpeditionHppByKandang = "lti.closing.expedition.kandang"
+	P_ClosingDataProduction = "lti.closing.production.data"
+
+)
+
+const (
+	P_TransferGetAll    = "lti.inventory.transfer.list"
+	P_TransferGetOne    = "lti.inventory.transfer.detail"
+	P_TransferCreateOne = "lti.inventory.transfer.create"
+)
+
+const (
+	P_DeliveryGetAll      = "lti.marketing.delivery_order.list"
+	P_DeliveryGetOne      = "lti.marketing.delivery_order.detail"
+	P_DeliveryCreateOne   = "lti.marketing.delivery_order.create"
+	P_DeliveryUpdateOne   = "lti.marketing.delivery_order.update"
+	P_SalesOrderDelete    = "lti.marketing.sales_order.delete"
+	P_SalesOrderApproval  = "lti.marketing.sales_order.approve"
+	P_SalesOrderCreateOne = "lti.marketing.sales_order.create"
+	P_SalesOrderUpdateOne = "lti.marketing.sales_order.update"
+)
+
+const (
+	P_AreaGetAll    = "lti.master.area.list"
+	P_AreaGetOne    = "lti.master.area.detail"
+	P_AreaCreateOne = "lti.master.area.create"
+	P_AreaUpdateOne = "lti.master.area.update"
+	P_AreaDeleteOne = "lti.master.area.delete"
+
+	P_BanksGetAll    = "lti.master.banks.list"
+	P_BanksGetOne    = "lti.master.banks.detail"
+	P_BanksCreateOne = "lti.master.banks.create"
+	P_BanksUpdateOne = "lti.master.banks.update"
+	P_BanksDeleteOne = "lti.master.banks.delete"
+
+	P_CustomerGetAll    = "lti.master.customer.list"
+	P_CustomerGetOne    = "lti.master.customer.detail"
+	P_CustomerCreateOne = "lti.master.customer.create"
+	P_CustomerUpdateOne = "lti.master.customer.update"
+	P_CustomerDeleteOne = "lti.master.customer.delete"
+
+	P_FcrGetAll    = "lti.master.fcr.list"
+	P_FcrGetOne    = "lti.master.fcr.detail"
+	P_FcrCreateOne = "lti.master.fcr.create"
+	P_FcrUpdateOne = "lti.master.fcr.update"
+	P_FcrDeleteOne = "lti.master.fcr.delete"
+
+	P_FlocksGetAll    = "lti.master.flocks.list"
+	P_FlocksGetOne    = "lti.master.flocks.detail"
+	P_FlocksCreateOne = "lti.master.flocks.create"
+	P_FlocksUpdateOne = "lti.master.flocks.update"
+	P_FlocksDeleteOne = "lti.master.flocks.delete"
+
+	P_KandangsGetAll    = "lti.master.kandangs.list"
+	P_KandangsGetOne    = "lti.master.kandangs.detail"
+	P_KandangsCreateOne = "lti.master.kandangs.create"
+	P_KandangsUpdateOne = "lti.master.kandangs.update"
+	P_KandangsDeleteOne = "lti.master.kandangs.delete"
+
+	P_LocationsGetAll    = "lti.master.locations.list"
+	P_LocationsGetOne    = "lti.master.locations.detail"
+	P_LocationsCreateOne = "lti.master.locations.create"
+	P_LocationsUpdateOne = "lti.master.locations.update"
+	P_LocationsDeleteOne = "lti.master.locations.delete"
+
+	P_NonstocksGetAll    = "lti.master.nonstocks.list"
+	P_NonstocksGetOne    = "lti.master.nonstocks.detail"
+	P_NonstocksCreateOne = "lti.master.nonstocks.create"
+	P_NonstocksUpdateOne = "lti.master.nonstocks.update"
+	P_NonstocksDeleteOne = "lti.master.nonstocks.delete"
+
+	P_ProductCategoriesGetAll    = "lti.master.Product_categories.list"
+	P_ProductCategoriesGetOne    = "lti.master.Product_categories.detail"
+	P_ProductCategoriesCreateOne = "lti.master.Product_categories.create"
+	P_ProductCategoriesUpdateOne = "lti.master.Product_categories.update"
+	P_ProductCategoriesDeleteOne = "lti.master.Product_categories.delete"
+
+	P_ProductsGetAll    = "lti.master.Products.list"
+	P_ProductsGetOne    = "lti.master.Products.detail"
+	P_ProductsCreateOne = "lti.master.Products.create"
+	P_ProductsUpdateOne = "lti.master.Products.update"
+	P_ProductsDeleteOne = "lti.master.Products.delete"
+
+	P_SuppliersGetAll    = "lti.master.suppliers.list"
+	P_SuppliersGetOne    = "lti.master.suppliers.detail"
+	P_SuppliersCreateOne = "lti.master.suppliers.create"
+	P_SuppliersUpdateOne = "lti.master.suppliers.update"
+	P_SuppliersDeleteOne = "lti.master.suppliers.delete"
+
+	P_UomsGetAll    = "lti.master.uoms.list"
+	P_UomsGetOne    = "lti.master.uoms.detail"
+	P_UomsCreateOne = "lti.master.uoms.create"
+	P_UomsUpdateOne = "lti.master.uoms.update"
+	P_UomsDeleteOne = "lti.master.uoms.delete"
+
+	P_WarehousesGetAll    = "lti.master.warehouses.list"
+	P_WarehousesGetOne    = "lti.master.warehouses.detail"
+	P_WarehousesCreateOne = "lti.master.warehouses.create"
+	P_WarehousesUpdateOne = "lti.master.warehouses.update"
+	P_WarehousesDeleteOne = "lti.master.warehouses.delete"
+)
+
+const (
+	P_ChickinsCreateOne = "lti.production.chickins.create"
+	P_ChickinsGetOne    = "lti.production.chickins.detail"
+	P_ChickinsApproval  = "lti.production.chickins.approve"
+)
+
+// recording
+const (
+	P_RecordingGetAll    = "lti.production.recording.list"
+	P_RecordingGetOne    = "lti.production.recording.detail"
+	P_RecordingCreateOne = "lti.production.recording.create"
+	P_RecordingUpdateOne = "lti.production.recording.update"
+	P_RecordingDeleteOne = "lti.production.recording.delete"
+	P_RecordingNextDay   = "lti.production.recording.next_day"
+	P_RecordingApproval  = "lti.production.recording.approve"
+)
+
+const (
+	P_PurchaseGetAll          = "lti.Purchase.list"
+	P_PurchaseGetOne          = "lti.Purchase.detail"
+	P_PurchaseCreateOne       = "lti.Purchase.create"
+	P_PurchaseUpdateOne       = "lti.Purchase.update"
+	P_PurchaseDeleteOne       = "lti.Purchase.delete"
+	P_PurchaseItemDeleteOne   = "lti.Purchase.delete.item"
+	P_PurchaseReceive         = "lti.Purchase.receive"
+	P_PurchaseApprovalStaff   = "lti.Purchase.approve.staff"
+	P_PurchaseApprovalManager = "lti.Purchase.approve.manager"
+)
+
+const (
+	P_UserGetAll = "lti.users.list"
+	P_UserGetOne = "lti.users.detail"
+)
diff --git a/internal/modules/approvals/route.go b/internal/modules/approvals/route.go
index 5dd39616..cd479c03 100644
--- a/internal/modules/approvals/route.go
+++ b/internal/modules/approvals/route.go
@@ -15,5 +15,5 @@ func ApprovalRoutes(v1 fiber.Router, u user.UserService, s common.ApprovalServic
 	route := v1.Group("/approvals")
 	route.Use(m.Auth(u))
 
-	route.Get("/", ctrl.GetAll)
+	route.Get("/", ctrl.GetAll,m.RequirePermissions(m.P_ApprovalGetAll))
 }
diff --git a/internal/modules/closings/route.go b/internal/modules/closings/route.go
index 08b6e725..d4250624 100644
--- a/internal/modules/closings/route.go
+++ b/internal/modules/closings/route.go
@@ -1,7 +1,7 @@
 package closings
 
 import (
-	// m "gitlab.com/mbugroup/lti-api.git/internal/middleware"
+	m "gitlab.com/mbugroup/lti-api.git/internal/middleware"
 	controller "gitlab.com/mbugroup/lti-api.git/internal/modules/closings/controllers"
 	closing "gitlab.com/mbugroup/lti-api.git/internal/modules/closings/services"
 	user "gitlab.com/mbugroup/lti-api.git/internal/modules/users/services"
@@ -13,6 +13,7 @@ func ClosingRoutes(v1 fiber.Router, u user.UserService, s closing.ClosingService
 	ctrl := controller.NewClosingController(s, sapronakSvc)
 
 	route := v1.Group("/closings")
+	route.Use(m.Auth(u))
 
 	// route.Get("/", m.Auth(u), ctrl.GetAll)
 	// route.Post("/", m.Auth(u), ctrl.CreateOne)
@@ -20,14 +21,14 @@ func ClosingRoutes(v1 fiber.Router, u user.UserService, s closing.ClosingService
 	// route.Patch("/:id", m.Auth(u), ctrl.UpdateOne)
 	// route.Delete("/:id", m.Auth(u), ctrl.DeleteOne)
 
-	route.Get("/", ctrl.GetAll)
-	route.Get("/:project_flock_id/penjualan", ctrl.GetPenjualan)
-	route.Get("/:project_flock_id/overhead", ctrl.GetOverhead)
-	route.Get("/:project_flock_id/:project_flock_kandang_id/perhitungan_sapronak", ctrl.GetSapronakByKandang)
-	route.Get("/:project_flock_id/perhitungan_sapronak", ctrl.GetSapronakByProject)
-	route.Get("/:projectFlockId", ctrl.GetClosingSummary)
-	route.Get("/:projectFlockId/sapronak", ctrl.GetClosingSapronak)
-	route.Get("/:project_flock_id/expedition-hpp", ctrl.GetExpeditionHPP)
-	route.Get("/:project_flock_id/:project_flock_kandang_id/expedition-hpp", ctrl.GetExpeditionHPPByKandang)
-	route.Get("/:projectFlockId/data-produksi", ctrl.GetClosingDataProduksi)
+	route.Get("/", m.RequirePermissions(m.P_ClosingGetAll), ctrl.GetAll)
+	route.Get("/:project_flock_id/penjualan", m.RequirePermissions(m.P_ClosingPenjualan), ctrl.GetPenjualan)
+	route.Get("/:projectFlockId", m.RequirePermissions(m.P_ClosingGetSummary), ctrl.GetClosingSummary)
+	route.Get("/:project_flock_id/overhead", m.RequirePermissions(m.P_ClosingGetOverhead), ctrl.GetOverhead)
+	route.Get("/:project_flock_id/:project_flock_kandang_id/perhitungan_sapronak", m.RequirePermissions(m.P_ClosingCountSapronakKandang), ctrl.GetSapronakByKandang)
+	route.Get("/:project_flock_id/perhitungan_sapronak", m.RequirePermissions(m.P_ClosingCountSapronak), ctrl.GetSapronakByProject)
+	route.Get("/:projectFlockId/sapronak", m.RequirePermissions(m.P_ClosingSapronak), ctrl.GetClosingSapronak)
+	route.Get("/:project_flock_id/expedition-hpp", m.RequirePermissions(m.P_ClosingExpeditionHpp), ctrl.GetExpeditionHPP)
+	route.Get("/:project_flock_id/:project_flock_kandang_id/expedition-hpp", m.RequirePermissions(m.P_ClosingExpeditionHppByKandang), ctrl.GetExpeditionHPPByKandang)
+	route.Get("/:projectFlockId/data-produksi", m.RequirePermissions(m.P_ClosingDataProduction), ctrl.GetClosingDataProduksi)
 }
diff --git a/internal/modules/constants/route.go b/internal/modules/constants/route.go
index 1da14371..46def610 100644
--- a/internal/modules/constants/route.go
+++ b/internal/modules/constants/route.go
@@ -12,6 +12,5 @@ func ConstantRoutes(v1 fiber.Router, s constant.ConstantService) {
 	ctrl := controller.NewConstantController(s)
 
 	route := v1.Group("/constants")
-
 	route.Get("/", ctrl.GetAll)
 }
diff --git a/internal/modules/expenses/route.go b/internal/modules/expenses/route.go
index 1fc5c07a..fa3191fa 100644
--- a/internal/modules/expenses/route.go
+++ b/internal/modules/expenses/route.go
@@ -22,16 +22,16 @@ func ExpenseRoutes(v1 fiber.Router, u user.UserService, s expense.ExpenseService
 	// route.Patch("/:id", m.Auth(u), ctrl.UpdateOne)
 	// route.Delete("/:id", m.Auth(u), ctrl.DeleteOne)
 
-	route.Get("/", ctrl.GetAll)
-	route.Post("/", ctrl.CreateOne)
-	route.Get("/:id", ctrl.GetOne)
-	route.Patch("/:id", ctrl.UpdateOne)
-	route.Delete("/:id", ctrl.DeleteOne)
-	route.Post("/approvals/manager", ctrl.Approval)
-	route.Post("/approvals/finance", ctrl.Approval)
-	route.Post("/:id/realizations", ctrl.CreateRealization)
-	route.Patch("/:id/realizations", ctrl.UpdateRealization)
-	route.Post("/:id/complete", ctrl.CompleteExpense)
-	route.Delete("/:id/documents/:documentId", ctrl.DeleteDocument)
-	route.Delete("/:id/realization-documents/:documentId", ctrl.DeleteRealizationDocument)
+	route.Get("/",m.RequirePermissions(m.P_ExpenseGetAll), ctrl.GetAll)
+	route.Post("/",m.RequirePermissions(m.P_ExpenseCreateOne), ctrl.CreateOne)
+	route.Get("/:id",m.RequirePermissions(m.P_ExpenseGetOne), ctrl.GetOne)
+	route.Patch("/:id",m.RequirePermissions(m.P_ExpenseUpdateOne), ctrl.UpdateOne)
+	route.Delete("/:id",m.RequirePermissions(m.P_ExpenseDeleteOne), ctrl.DeleteOne)
+	route.Post("/approvals/manager",m.RequirePermissions(m.P_ExpenseApprovalManager), ctrl.Approval)
+	route.Post("/approvals/finance",m.RequirePermissions(m.P_ExpenseApprovalFinance), ctrl.Approval)
+	route.Post("/:id/realizations",m.RequirePermissions(m.P_ExpenseCreateRealizations), ctrl.CreateRealization)
+	route.Patch("/:id/realizations",m.RequirePermissions(m.P_ExpenseUpdateRealizations), ctrl.UpdateRealization)
+	route.Post("/:id/complete",m.RequirePermissions(m.P_ExpenseCompleteExpense), ctrl.CompleteExpense)
+	route.Delete("/:id/documents/:documentId",m.RequirePermissions(m.P_ExpenseDocument), ctrl.DeleteDocument)
+	route.Delete("/:id/realization-documents/:documentId",m.RequirePermissions(m.P_ExpenseDocumentRealizations), ctrl.DeleteRealizationDocument)
 }
diff --git a/internal/modules/inventory/adjustments/route.go b/internal/modules/inventory/adjustments/route.go
index 8c7e5f9f..f99fe01e 100644
--- a/internal/modules/inventory/adjustments/route.go
+++ b/internal/modules/inventory/adjustments/route.go
@@ -14,9 +14,9 @@ func AdjustmentRoutes(v1 fiber.Router, u user.UserService, s adjustment.Adjustme
 
 	route := v1.Group("/adjustments")
 	route.Use(m.Auth(u))
-
-	route.Get("/", ctrl.AdjustmentHistory)
-	route.Post("/", ctrl.Adjustment)
-	route.Get("/:id", ctrl.GetOne)
+	// Standard CRUD routes following master data pattern
+	route.Get("/",m.RequirePermissions(m.P_AdjustmentGetAll), ctrl.AdjustmentHistory) // Get all with pagination and filters
+	route.Post("/",m.RequirePermissions(m.P_AdjustmentCreate), ctrl.Adjustment)       // Create adjustment
+	route.Get("/:id",m.RequirePermissions(m.P_AdjustmentGetOne), ctrl.GetOne)
 
 }
diff --git a/internal/modules/inventory/product-stocks/route.go b/internal/modules/inventory/product-stocks/route.go
index c7bb37f8..41714edc 100644
--- a/internal/modules/inventory/product-stocks/route.go
+++ b/internal/modules/inventory/product-stocks/route.go
@@ -1,7 +1,7 @@
 package productStocks
 
 import (
-	// m "gitlab.com/mbugroup/lti-api.git/internal/middleware"
+	m "gitlab.com/mbugroup/lti-api.git/internal/middleware"
 	controller "gitlab.com/mbugroup/lti-api.git/internal/modules/inventory/product-stocks/controllers"
 	productStock "gitlab.com/mbugroup/lti-api.git/internal/modules/inventory/product-stocks/services"
 	user "gitlab.com/mbugroup/lti-api.git/internal/modules/users/services"
@@ -13,13 +13,13 @@ func ProductStockRoutes(v1 fiber.Router, u user.UserService, s productStock.Prod
 	ctrl := controller.NewProductStockController(s)
 
 	route := v1.Group("/product-stocks")
-
+route.Use(m.Auth(u))
 	// route.Get("/", m.Auth(u), ctrl.GetAll)
 	// route.Post("/", m.Auth(u), ctrl.CreateOne)
 	// route.Get("/:id", m.Auth(u), ctrl.GetOne)
 	// route.Patch("/:id", m.Auth(u), ctrl.UpdateOne)
 	// route.Delete("/:id", m.Auth(u), ctrl.DeleteOne)
 
-	route.Get("/", ctrl.GetAll)
-	route.Get("/:id", ctrl.GetOne)
+	route.Get("/",m.RequirePermissions(m.P_ProductStockGetAll), ctrl.GetAll)
+	route.Get("/:id",m.RequirePermissions(m.P_ProductStockGetOne), ctrl.GetOne)
 }
diff --git a/internal/modules/inventory/product-warehouses/route.go b/internal/modules/inventory/product-warehouses/route.go
index 9c6c8e2b..81c06a08 100644
--- a/internal/modules/inventory/product-warehouses/route.go
+++ b/internal/modules/inventory/product-warehouses/route.go
@@ -15,7 +15,7 @@ func ProductWarehouseRoutes(v1 fiber.Router, u user.UserService, s productWareho
 	route := v1.Group("/product-warehouses")
 	route.Use(m.Auth(u))
 
-	route.Get("/", ctrl.GetAll)
-	route.Get("/:id", ctrl.GetOne)
+	route.Get("/",m.RequirePermissions(m.P_ProductWarehousekGetAll), ctrl.GetAll)
+	route.Get("/:id",m.RequirePermissions(m.P_ProductWarehouseGetOne), ctrl.GetOne)
 
 }
diff --git a/internal/modules/inventory/transfers/route.go b/internal/modules/inventory/transfers/route.go
index f608af42..d24dbcb4 100644
--- a/internal/modules/inventory/transfers/route.go
+++ b/internal/modules/inventory/transfers/route.go
@@ -15,8 +15,8 @@ func TransferRoutes(v1 fiber.Router, u user.UserService, s transfer.TransferServ
 	route := v1.Group("/transfers")
 	route.Use(m.Auth(u))
 
-	route.Get("/", ctrl.GetAll)
-	route.Post("/", ctrl.CreateOne)
-	route.Get("/:id", ctrl.GetOne)
+	route.Get("/",m.RequirePermissions(m.P_TransferGetAll), ctrl.GetAll)
+	route.Post("/",m.RequirePermissions(m.P_TransferCreateOne), ctrl.CreateOne)
+	route.Get("/:id",m.RequirePermissions(m.P_TransferGetOne), ctrl.GetOne)
 
 }
diff --git a/internal/modules/master/areas/route.go b/internal/modules/master/areas/route.go
index 755a542e..0d715fb7 100644
--- a/internal/modules/master/areas/route.go
+++ b/internal/modules/master/areas/route.go
@@ -15,9 +15,9 @@ func AreaRoutes(v1 fiber.Router, u user.UserService, s area.AreaService) {
 	route := v1.Group("/areas")
 	route.Use(m.Auth(u))
 
-	route.Get("/", ctrl.GetAll)
-	route.Post("/", ctrl.CreateOne)
-	route.Get("/:id", ctrl.GetOne)
-	route.Patch("/:id", ctrl.UpdateOne)
-	route.Delete("/:id", ctrl.DeleteOne)
+	route.Get("/",m.RequirePermissions(m.P_AreaGetAll), ctrl.GetAll)
+	route.Post("/",m.RequirePermissions(m.P_AreaCreateOne), ctrl.CreateOne)
+	route.Get("/:id",m.RequirePermissions(m.P_AreaGetOne), ctrl.GetOne)
+	route.Patch("/:id",m.RequirePermissions(m.P_AreaUpdateOne), ctrl.UpdateOne)
+	route.Delete("/:id",m.RequirePermissions(m.P_AreaDeleteOne), ctrl.DeleteOne)
 }
diff --git a/internal/modules/master/banks/route.go b/internal/modules/master/banks/route.go
index 2e5bed3b..678a834c 100644
--- a/internal/modules/master/banks/route.go
+++ b/internal/modules/master/banks/route.go
@@ -14,10 +14,9 @@ func BankRoutes(v1 fiber.Router, u user.UserService, s bank.BankService) {
 
 	route := v1.Group("/banks")
 	route.Use(m.Auth(u))
-
-	route.Get("/", ctrl.GetAll)
-	route.Post("/", ctrl.CreateOne)
-	route.Get("/:id", ctrl.GetOne)
-	route.Patch("/:id", ctrl.UpdateOne)
-	route.Delete("/:id", ctrl.DeleteOne)
+	route.Get("/",m.RequirePermissions(m.P_BanksGetAll), ctrl.GetAll)
+	route.Post("/",m.RequirePermissions(m.P_BanksCreateOne), ctrl.CreateOne)
+	route.Get("/:id",m.RequirePermissions(m.P_BanksGetOne), ctrl.GetOne)
+	route.Patch("/:id",m.RequirePermissions(m.P_BanksUpdateOne), ctrl.UpdateOne)
+	route.Delete("/:id",m.RequirePermissions(m.P_BanksDeleteOne), ctrl.DeleteOne)
 }
diff --git a/internal/modules/master/customers/route.go b/internal/modules/master/customers/route.go
index d361e167..92f8139e 100644
--- a/internal/modules/master/customers/route.go
+++ b/internal/modules/master/customers/route.go
@@ -15,9 +15,9 @@ func CustomerRoutes(v1 fiber.Router, u user.UserService, s customer.CustomerServ
 	route := v1.Group("/customers")
 	route.Use(m.Auth(u))
 
-	route.Get("/", ctrl.GetAll)
-	route.Post("/", ctrl.CreateOne)
-	route.Get("/:id", ctrl.GetOne)
-	route.Patch("/:id", ctrl.UpdateOne)
-	route.Delete("/:id", ctrl.DeleteOne)
+	route.Get("/",m.RequirePermissions(m.P_CustomerGetAll), ctrl.GetAll)
+	route.Post("/",m.RequirePermissions(m.P_CustomerCreateOne), ctrl.CreateOne)
+	route.Get("/:id",m.RequirePermissions(m.P_CustomerGetOne), ctrl.GetOne)
+	route.Patch("/:id",m.RequirePermissions(m.P_CustomerUpdateOne), ctrl.UpdateOne)
+	route.Delete("/:id",m.RequirePermissions(m.P_CustomerDeleteOne), ctrl.DeleteOne)
 }
diff --git a/internal/modules/master/fcrs/route.go b/internal/modules/master/fcrs/route.go
index 60633f16..06291ce4 100644
--- a/internal/modules/master/fcrs/route.go
+++ b/internal/modules/master/fcrs/route.go
@@ -15,9 +15,9 @@ func FcrRoutes(v1 fiber.Router, u user.UserService, s fcr.FcrService) {
 	route := v1.Group("/fcrs")
 	route.Use(m.Auth(u))
 
-	route.Get("/", ctrl.GetAll)
-	route.Post("/", ctrl.CreateOne)
-	route.Get("/:id", ctrl.GetOne)
-	route.Patch("/:id", ctrl.UpdateOne)
-	route.Delete("/:id", ctrl.DeleteOne)
+	route.Get("/",m.RequirePermissions(m.P_FcrGetAll), ctrl.GetAll)
+	route.Post("/",m.RequirePermissions(m.P_FcrCreateOne), ctrl.CreateOne)
+	route.Get("/:id",m.RequirePermissions(m.P_FcrGetOne), ctrl.GetOne)
+	route.Patch("/:id",m.RequirePermissions(m.P_FcrUpdateOne), ctrl.UpdateOne)
+	route.Delete("/:id",m.RequirePermissions(m.P_FcrDeleteOne), ctrl.DeleteOne)
 }
diff --git a/internal/modules/master/flocks/route.go b/internal/modules/master/flocks/route.go
index 429d8dcd..046e014a 100644
--- a/internal/modules/master/flocks/route.go
+++ b/internal/modules/master/flocks/route.go
@@ -15,9 +15,9 @@ func FlockRoutes(v1 fiber.Router, u user.UserService, s flock.FlockService) {
 	route := v1.Group("/flocks")
 	route.Use(m.Auth(u))
 
-	route.Get("/", ctrl.GetAll)
-	route.Post("/", ctrl.CreateOne)
-	route.Get("/:id", ctrl.GetOne)
-	route.Patch("/:id", ctrl.UpdateOne)
-	route.Delete("/:id", ctrl.DeleteOne)
+	route.Get("/",m.RequirePermissions(m.P_FlocksGetAll), ctrl.GetAll)
+	route.Post("/",m.RequirePermissions(m.P_FlocksCreateOne), ctrl.CreateOne)
+	route.Get("/:id",m.RequirePermissions(m.P_FlocksGetOne), ctrl.GetOne)
+	route.Patch("/:id",m.RequirePermissions(m.P_FlocksUpdateOne), ctrl.UpdateOne)
+	route.Delete("/:id",m.RequirePermissions(m.P_FlocksDeleteOne), ctrl.DeleteOne)
 }
diff --git a/internal/modules/master/kandangs/route.go b/internal/modules/master/kandangs/route.go
index 6a425b64..4cbf2793 100644
--- a/internal/modules/master/kandangs/route.go
+++ b/internal/modules/master/kandangs/route.go
@@ -15,9 +15,9 @@ func KandangRoutes(v1 fiber.Router, u user.UserService, s kandang.KandangService
 	route := v1.Group("/kandangs")
 	route.Use(m.Auth(u))
 
-	route.Get("/", ctrl.GetAll)
-	route.Post("/", ctrl.CreateOne)
-	route.Get("/:id", ctrl.GetOne)
-	route.Patch("/:id", ctrl.UpdateOne)
-	route.Delete("/:id", ctrl.DeleteOne)
+	route.Get("/",m.RequirePermissions(m.P_KandangsGetAll), ctrl.GetAll)
+	route.Post("/",m.RequirePermissions(m.P_KandangsCreateOne), ctrl.CreateOne)
+	route.Get("/:id",m.RequirePermissions(m.P_KandangsGetOne), ctrl.GetOne)
+	route.Patch("/:id",m.RequirePermissions(m.P_KandangsUpdateOne), ctrl.UpdateOne)
+	route.Delete("/:id",m.RequirePermissions(m.P_KandangsDeleteOne), ctrl.DeleteOne)
 }
diff --git a/internal/modules/master/locations/route.go b/internal/modules/master/locations/route.go
index 68bce594..771e2d0d 100644
--- a/internal/modules/master/locations/route.go
+++ b/internal/modules/master/locations/route.go
@@ -15,9 +15,9 @@ func LocationRoutes(v1 fiber.Router, u user.UserService, s location.LocationServ
 	route := v1.Group("/locations")
 	route.Use(m.Auth(u))
 
-	route.Get("/", ctrl.GetAll)
-	route.Post("/", ctrl.CreateOne)
-	route.Get("/:id", ctrl.GetOne)
-	route.Patch("/:id", ctrl.UpdateOne)
-	route.Delete("/:id", ctrl.DeleteOne)
+	route.Get("/",m.RequirePermissions(m.P_LocationsGetAll), ctrl.GetAll)
+	route.Post("/",m.RequirePermissions(m.P_LocationsCreateOne), ctrl.CreateOne)
+	route.Get("/:id",m.RequirePermissions(m.P_LocationsGetOne), ctrl.GetOne)
+	route.Patch("/:id",m.RequirePermissions(m.P_LocationsUpdateOne), ctrl.UpdateOne)
+	route.Delete("/:id",m.RequirePermissions(m.P_LocationsDeleteOne), ctrl.DeleteOne)
 }
diff --git a/internal/modules/master/nonstocks/route.go b/internal/modules/master/nonstocks/route.go
index 2aa7b838..6f2a2016 100644
--- a/internal/modules/master/nonstocks/route.go
+++ b/internal/modules/master/nonstocks/route.go
@@ -15,9 +15,9 @@ func NonstockRoutes(v1 fiber.Router, u user.UserService, s nonstock.NonstockServ
 	route := v1.Group("/nonstocks")
 	route.Use(m.Auth(u))
 
-	route.Get("/", ctrl.GetAll)
-	route.Post("/", ctrl.CreateOne)
-	route.Get("/:id", ctrl.GetOne)
-	route.Patch("/:id", ctrl.UpdateOne)
-	route.Delete("/:id", ctrl.DeleteOne)
+	route.Get("/",m.RequirePermissions(m.P_NonstocksGetAll), ctrl.GetAll)
+	route.Post("/",m.RequirePermissions(m.P_NonstocksCreateOne), ctrl.CreateOne)
+	route.Get("/:id",m.RequirePermissions(m.P_NonstocksGetOne), ctrl.GetOne)
+	route.Patch("/:id",m.RequirePermissions(m.P_NonstocksUpdateOne), ctrl.UpdateOne)
+	route.Delete("/:id",m.RequirePermissions(m.P_NonstocksDeleteOne), ctrl.DeleteOne)
 }
diff --git a/internal/modules/master/product-categories/route.go b/internal/modules/master/product-categories/route.go
index 4a2262f9..1fa0532f 100644
--- a/internal/modules/master/product-categories/route.go
+++ b/internal/modules/master/product-categories/route.go
@@ -15,9 +15,9 @@ func ProductCategoryRoutes(v1 fiber.Router, u user.UserService, s productCategor
 	route := v1.Group("/product-categories")
 	route.Use(m.Auth(u))
 
-	route.Get("/", ctrl.GetAll)
-	route.Post("/", ctrl.CreateOne)
-	route.Get("/:id", ctrl.GetOne)
-	route.Patch("/:id", ctrl.UpdateOne)
-	route.Delete("/:id", ctrl.DeleteOne)
+	route.Get("/",m.RequirePermissions(m.P_ProductCategoriesGetAll), ctrl.GetAll)
+	route.Post("/",m.RequirePermissions(m.P_ProductCategoriesCreateOne), ctrl.CreateOne)
+	route.Get("/:id",m.RequirePermissions(m.P_ProductCategoriesGetOne), ctrl.GetOne)
+	route.Patch("/:id",m.RequirePermissions(m.P_ProductCategoriesUpdateOne), ctrl.UpdateOne)
+	route.Delete("/:id",m.RequirePermissions(m.P_ProductCategoriesDeleteOne), ctrl.DeleteOne)
 }
diff --git a/internal/modules/master/products/route.go b/internal/modules/master/products/route.go
index 369d6ea8..04431bd4 100644
--- a/internal/modules/master/products/route.go
+++ b/internal/modules/master/products/route.go
@@ -15,9 +15,9 @@ func ProductRoutes(v1 fiber.Router, u user.UserService, s product.ProductService
 	route := v1.Group("/products")
 	route.Use(m.Auth(u))
 
-	route.Get("/", ctrl.GetAll)
-	route.Post("/", ctrl.CreateOne)
-	route.Get("/:id", ctrl.GetOne)
-	route.Patch("/:id", ctrl.UpdateOne)
-	route.Delete("/:id", ctrl.DeleteOne)
+	route.Get("/",m.RequirePermissions(m.P_ProductsGetAll), ctrl.GetAll)
+	route.Post("/",m.RequirePermissions(m.P_ProductsCreateOne), ctrl.CreateOne)
+	route.Get("/:id",m.RequirePermissions(m.P_ProductsGetOne), ctrl.GetOne)
+	route.Patch("/:id",m.RequirePermissions(m.P_ProductsUpdateOne), ctrl.UpdateOne)
+	route.Delete("/:id",m.RequirePermissions(m.P_ProductsDeleteOne), ctrl.DeleteOne)
 }
diff --git a/internal/modules/master/suppliers/route.go b/internal/modules/master/suppliers/route.go
index 17271d4a..564ac725 100644
--- a/internal/modules/master/suppliers/route.go
+++ b/internal/modules/master/suppliers/route.go
@@ -15,9 +15,9 @@ func SupplierRoutes(v1 fiber.Router, u user.UserService, s supplier.SupplierServ
 	route := v1.Group("/suppliers")
 	route.Use(m.Auth(u))
 
-	route.Get("/", ctrl.GetAll)
-	route.Post("/", ctrl.CreateOne)
-	route.Get("/:id", ctrl.GetOne)
-	route.Patch("/:id", ctrl.UpdateOne)
-	route.Delete("/:id", ctrl.DeleteOne)
+	route.Get("/",m.RequirePermissions(m.P_SuppliersGetAll), ctrl.GetAll)
+	route.Post("/",m.RequirePermissions(m.P_SuppliersCreateOne), ctrl.CreateOne)
+	route.Get("/:id",m.RequirePermissions(m.P_SuppliersGetOne), ctrl.GetOne)
+	route.Patch("/:id",m.RequirePermissions(m.P_SuppliersUpdateOne), ctrl.UpdateOne)
+	route.Delete("/:id",m.RequirePermissions(m.P_SuppliersDeleteOne), ctrl.DeleteOne)
 }
diff --git a/internal/modules/master/uoms/route.go b/internal/modules/master/uoms/route.go
index 53faa239..8ffbcb62 100644
--- a/internal/modules/master/uoms/route.go
+++ b/internal/modules/master/uoms/route.go
@@ -20,4 +20,10 @@ func UomRoutes(v1 fiber.Router, u user.UserService, s uom.UomService) {
 	route.Get("/:id", ctrl.GetOne)
 	route.Patch("/:id", ctrl.UpdateOne)
 	route.Delete("/:id", ctrl.DeleteOne)
+
+	route.Get("/",m.RequirePermissions(m.P_AreaGetAll), ctrl.GetAll)
+	route.Post("/",m.RequirePermissions(m.P_AreaCreateOne), ctrl.CreateOne)
+	route.Get("/:id",m.RequirePermissions(m.P_AreaGetOne), ctrl.GetOne)
+	route.Patch("/:id",m.RequirePermissions(m.P_AreaUpdateOne), ctrl.UpdateOne)
+	route.Delete("/:id",m.RequirePermissions(m.P_AreaDeleteOne), ctrl.DeleteOne)
 }
diff --git a/internal/modules/master/warehouses/route.go b/internal/modules/master/warehouses/route.go
index 8acf4452..a08b04a5 100644
--- a/internal/modules/master/warehouses/route.go
+++ b/internal/modules/master/warehouses/route.go
@@ -15,9 +15,9 @@ func WarehouseRoutes(v1 fiber.Router, u user.UserService, s warehouse.WarehouseS
 	route := v1.Group("/warehouses")
 	route.Use(m.Auth(u))
 
-	route.Get("/", ctrl.GetAll)
-	route.Post("/", ctrl.CreateOne)
-	route.Get("/:id", ctrl.GetOne)
-	route.Patch("/:id", ctrl.UpdateOne)
-	route.Delete("/:id", ctrl.DeleteOne)
+	route.Get("/",m.RequirePermissions(m.P_WarehousesGetAll), ctrl.GetAll)
+	route.Post("/",m.RequirePermissions(m.P_WarehousesCreateOne), ctrl.CreateOne)
+	route.Get("/:id",m.RequirePermissions(m.P_WarehousesGetOne), ctrl.GetOne)
+	route.Patch("/:id",m.RequirePermissions(m.P_WarehousesUpdateOne), ctrl.UpdateOne)
+	route.Delete("/:id",m.RequirePermissions(m.P_WarehousesDeleteOne), ctrl.DeleteOne)
 }
diff --git a/internal/modules/production/chickins/route.go b/internal/modules/production/chickins/route.go
index a558dd29..103a3655 100644
--- a/internal/modules/production/chickins/route.go
+++ b/internal/modules/production/chickins/route.go
@@ -16,9 +16,9 @@ func ChickinRoutes(v1 fiber.Router, u user.UserService, s chickin.ChickinService
 	route.Use(m.Auth(u))
 
 	// route.Get("/", ctrl.GetAll)
-	route.Post("/", ctrl.CreateOne)
-	route.Get("/:id", ctrl.GetOne)
+	route.Post("/",m.RequirePermissions(m.P_ChickinsCreateOne), ctrl.CreateOne)
+	route.Get("/:id",m.RequirePermissions(m.P_ChickinsGetOne), ctrl.GetOne)
 	// route.Patch("/:id", ctrl.UpdateOne)
 	// route.Delete("/:id", ctrl.DeleteOne)
-	route.Post("/approvals", ctrl.Approval)
+	route.Post("/approvals",m.RequirePermissions(m.P_ChickinsApproval), ctrl.Approval)
 }
diff --git a/internal/modules/production/project-flock-kandangs/route.go b/internal/modules/production/project-flock-kandangs/route.go
index 3998a324..c5dba313 100644
--- a/internal/modules/production/project-flock-kandangs/route.go
+++ b/internal/modules/production/project-flock-kandangs/route.go
@@ -14,14 +14,8 @@ func ProjectFlockKandangRoutes(v1 fiber.Router, u user.UserService, s projectFlo
 
 	route := v1.Group("/project-flock-kandangs")
 	route.Use(m.Auth(u))
-	// route.Get("/", m.Auth(u), ctrl.GetAll)
-	// route.Post("/", m.Auth(u), ctrl.CreateOne)
-	// route.Get("/:id", m.Auth(u), ctrl.GetOne)
-	// route.Patch("/:id", m.Auth(u), ctrl.UpdateOne)
-	// route.Delete("/:id", m.Auth(u), ctrl.DeleteOne)
-
-	route.Get("/", ctrl.GetAll)
-	route.Get("/:id", ctrl.GetOne)
+	route.Get("/",m.RequirePermissions(m.P_ProjectFlockKandangsGetAll), ctrl.GetAll)
+	route.Get("/:id",m.RequirePermissions(m.P_ProjectFlockKandangsGetOne), ctrl.GetOne)
 	// route.Post("/:id/closing", m.RequirePermissions(m.PermissionProjectFlockClosing), ctrl.Closing)
 	// route.Get("/:id/closing/check", m.RequirePermissions(m.PermissionProjectFlockClosing), ctrl.CheckClosing)
 	route.Post("/:id/closing", ctrl.Closing)
diff --git a/internal/modules/production/project_flocks/route.go b/internal/modules/production/project_flocks/route.go
index 1fdefcdf..c0eb8657 100644
--- a/internal/modules/production/project_flocks/route.go
+++ b/internal/modules/production/project_flocks/route.go
@@ -15,13 +15,13 @@ func ProjectflockRoutes(v1 fiber.Router, u user.UserService, s projectflock.Proj
 	route := v1.Group("/project-flocks")
 	route.Use(m.Auth(u))
 
-	route.Get("/", ctrl.GetAll)
-	route.Post("/", ctrl.CreateOne)
-	route.Get("/:id", ctrl.GetOne)
-	route.Delete("/:id", ctrl.DeleteOne)
-	route.Get("/kandangs/lookup", ctrl.LookupProjectFlockKandang)
-	route.Post("/approvals", ctrl.Approval)
-	route.Get("/locations/:location_id/periods", ctrl.GetPeriodSummary)
-	route.Put("/:id/resubmit", ctrl.Resubmit)
+	route.Get("/",m.RequirePermissions(m.P_ProjectFlockGetAll),ctrl.GetAll)
+	route.Post("/",m.RequirePermissions(m.P_ProjectFlockCreate), ctrl.CreateOne)
+	route.Get("/:id",m.RequirePermissions(m.P_ProjectFlockGetOne), ctrl.GetOne)
+	route.Delete("/:id",m.RequirePermissions(m.P_ProjectFlockGetAll), ctrl.DeleteOne)
+	route.Get("/kandangs/lookup",m.RequirePermissions(m.P_ProjectFlockLookup), ctrl.LookupProjectFlockKandang)
+	route.Post("/approvals",m.RequirePermissions(m.P_ProjectFlockApprove), ctrl.Approval)
+	route.Get("/locations/:location_id/periods",m.RequirePermissions(m.P_ProjectFlockNextPeriod), ctrl.GetPeriodSummary)
+	route.Put("/:id/resubmit",m.RequirePermissions(m.P_ProjectFlockResubmit), ctrl.Resubmit)
 
 }
diff --git a/internal/modules/production/recordings/route.go b/internal/modules/production/recordings/route.go
index 83b426db..f05d054d 100644
--- a/internal/modules/production/recordings/route.go
+++ b/internal/modules/production/recordings/route.go
@@ -15,11 +15,11 @@ func RecordingRoutes(v1 fiber.Router, u user.UserService, s recording.RecordingS
 	route := v1.Group("/recordings")
 	route.Use(m.Auth(u))
 
-	route.Get("/", ctrl.GetAll)
-	route.Get("/next-day", ctrl.GetNextDay)
-	route.Post("/", ctrl.CreateOne)
-	route.Get("/:id", ctrl.GetOne)
-	route.Patch("/:id", ctrl.UpdateOne)
-	route.Post("/approvals", ctrl.Approve)
-	route.Delete("/:id", ctrl.DeleteOne)
+	route.Get("/",m.RequirePermissions(m.P_RecordingGetAll), ctrl.GetAll)
+	route.Get("/:id",m.RequirePermissions(m.P_RecordingGetOne), ctrl.GetOne)
+	route.Post("/",m.RequirePermissions(m.P_RecordingCreateOne), ctrl.CreateOne)
+	route.Patch("/:id",m.RequirePermissions(m.P_RecordingUpdateOne), ctrl.UpdateOne)
+	route.Delete("/:id",m.RequirePermissions(m.P_RecordingDeleteOne), ctrl.DeleteOne)
+	route.Get("/next-day",m.RequirePermissions(m.P_RecordingNextDay), ctrl.GetNextDay)
+	route.Post("/approvals",m.RequirePermissions(m.P_RecordingApproval), ctrl.Approve)
 }
diff --git a/internal/modules/purchases/route.go b/internal/modules/purchases/route.go
index 5145bc94..4be485e6 100644
--- a/internal/modules/purchases/route.go
+++ b/internal/modules/purchases/route.go
@@ -15,12 +15,12 @@ func Routes(router fiber.Router, purchaseService service.PurchaseService, userSe
 	route := router.Group("/purchases")
 	route.Use(m.Auth(userService))
 
-	route.Get("/", ctrl.GetAll)
-	route.Get("/:id", ctrl.GetOne)
-	route.Post("/", ctrl.CreateOne)
-	route.Post("/:id/approvals/staff", ctrl.ApproveStaffPurchase)
-	route.Post("/:id/approvals/manager", ctrl.ApproveManagerPurchase)
-	route.Post("/:id/receipts", ctrl.ReceiveProducts)
-	route.Delete("/:id", ctrl.DeletePurchase)
-	route.Delete("/:id/items", ctrl.DeleteItems)
+	route.Get("/",m.RequirePermissions(m.P_PurchaseGetAll), ctrl.GetAll)
+	route.Get("/:id",m.RequirePermissions(m.P_PurchaseGetOne), ctrl.GetOne)
+	route.Post("/",m.RequirePermissions(m.P_PurchaseCreateOne), ctrl.CreateOne)
+	route.Post("/:id/approvals/staff",m.RequirePermissions(m.P_PurchaseApprovalStaff), ctrl.ApproveStaffPurchase)
+	route.Post("/:id/approvals/manager",m.RequirePermissions(m.P_PurchaseApprovalManager), ctrl.ApproveManagerPurchase)
+	route.Post("/:id/receipts",m.RequirePermissions(m.P_PurchaseReceive), ctrl.ReceiveProducts)
+	route.Delete("/:id",m.RequirePermissions(m.P_RecordingDeleteOne), ctrl.DeletePurchase)
+	route.Delete("/:id/items",m.RequirePermissions(m.P_PurchaseItemDeleteOne), ctrl.DeleteItems)
 }
diff --git a/internal/modules/repports/module.go b/internal/modules/repports/module.go
index f3798f6a..ab24faf7 100644
--- a/internal/modules/repports/module.go
+++ b/internal/modules/repports/module.go
@@ -12,6 +12,9 @@ import (
 
 	expenseRepo "gitlab.com/mbugroup/lti-api.git/internal/modules/expenses/repositories"
 	marketingRepo "gitlab.com/mbugroup/lti-api.git/internal/modules/marketing/repositories"
+
+	rUser "gitlab.com/mbugroup/lti-api.git/internal/modules/users/repositories"
+	sUser "gitlab.com/mbugroup/lti-api.git/internal/modules/users/services"
 )
 
 type RepportModule struct{}
@@ -22,9 +25,11 @@ func (RepportModule) RegisterRoutes(router fiber.Router, db *gorm.DB, validate *
 	marketingDeliveryProductRepository := marketingRepo.NewMarketingDeliveryProductRepository(db)
 	approvalRepository := commonRepo.NewApprovalRepository(db)
 	purchaseSupplierRepository := repportRepo.NewPurchaseSupplierRepository(db)
+	userRepository := rUser.NewUserRepository(db)
 
 	approvalSvc := approvalService.NewApprovalService(approvalRepository)
 	repportService := sRepport.NewRepportService(validate, expenseRealizationRepository, marketingDeliveryProductRepository, approvalSvc, purchaseSupplierRepository)
+	userService := sUser.NewUserService(userRepository, validate)
 
-	RepportRoutes(router, repportService)
+	RepportRoutes(router, userService, repportService)
 }
diff --git a/internal/modules/repports/route.go b/internal/modules/repports/route.go
index d24caac5..45dc32b7 100644
--- a/internal/modules/repports/route.go
+++ b/internal/modules/repports/route.go
@@ -1,18 +1,21 @@
 package repports
 
 import (
+	m "gitlab.com/mbugroup/lti-api.git/internal/middleware"
 	controller "gitlab.com/mbugroup/lti-api.git/internal/modules/repports/controllers"
 	repport "gitlab.com/mbugroup/lti-api.git/internal/modules/repports/services"
+	user "gitlab.com/mbugroup/lti-api.git/internal/modules/users/services"
 
 	"github.com/gofiber/fiber/v2"
 )
 
-func RepportRoutes(v1 fiber.Router, s repport.RepportService) {
+func RepportRoutes(v1 fiber.Router, u user.UserService, s repport.RepportService) {
 	ctrl := controller.NewRepportController(s)
 
 	route := v1.Group("/reports")
+	route.Use(m.Auth(u))
 
-	route.Get("/expense", ctrl.GetExpense)
-	route.Get("/marketing", ctrl.GetMarketing)
-	route.Get("/purchase-supplier", ctrl.GetPurchaseSupplier)
+	route.Get("/expense", m.RequirePermissions(m.P_ReportExpenseGetAll), ctrl.GetExpense)
+	route.Get("/marketing", m.RequirePermissions(m.P_ReportDeliveryGetAll), ctrl.GetMarketing)
+	route.Get("/purchase-supplier", m.RequirePermissions(m.P_ReportPurchaseSupplierGetAll), ctrl.GetPurchaseSupplier)
 }
diff --git a/internal/modules/users/route.go b/internal/modules/users/route.go
index 9ba6bfb3..d6aa03fe 100644
--- a/internal/modules/users/route.go
+++ b/internal/modules/users/route.go
@@ -3,7 +3,7 @@ package users
 import (
 	"github.com/gofiber/fiber/v2"
 
-	"gitlab.com/mbugroup/lti-api.git/internal/middleware"
+	m "gitlab.com/mbugroup/lti-api.git/internal/middleware"
 	controller "gitlab.com/mbugroup/lti-api.git/internal/modules/users/controllers"
 	user "gitlab.com/mbugroup/lti-api.git/internal/modules/users/services"
 )
@@ -12,11 +12,11 @@ func UserRoutes(v1 fiber.Router, s user.UserService) {
 	ctrl := controller.NewUserController(s)
 
 	route := v1.Group("/users")
-	route.Use(middleware.Auth(s))
+	route.Use(m.Auth(s))
 
-	route.Get("/", ctrl.GetAll)
+	route.Get("/", m.RequirePermissions(m.P_UserGetAll), ctrl.GetAll)
 	// route.Post("/", ctrl.CreateOne)
-	route.Get("/:id", ctrl.GetOne)
+	route.Get("/:id", m.RequirePermissions(m.P_UserGetOne), ctrl.GetOne)
 	// route.Patch("/:id", ctrl.UpdateOne)
 	// route.Delete("/:id", ctrl.DeleteOne)
 }