diff --git a/app/Http/Controllers/BranchController.php b/app/Http/Controllers/BranchController.php
index b1c070f..1271096 100644
--- a/app/Http/Controllers/BranchController.php
+++ b/app/Http/Controllers/BranchController.php
@@ -12,15 +12,35 @@
 
     class BranchController extends Controller
     {
-        public $user;
+        /**
+         * Get the authenticated user.
+         *
+         * @return \Illuminate\Contracts\Auth\Authenticatable|null
+         */
+        protected function getUser()
+        {
+            return \Illuminate\Support\Facades\Auth::guard('web')->user();
+        }
 
         public function index()
         {
+            // Check if the authenticated user has the required permission to view branches
+            $user = $this->getUser();
+            if (is_null($user) || !$user->can('basic-data.read')) {
+                abort(403, 'Sorry! You are not allowed to view branches.');
+            }
+
             return view('basicdata::branch.index');
         }
 
         public function store(BranchRequest $request)
         {
+            // Check if the authenticated user has the required permission to create branches
+            $user = $this->getUser();
+            if (is_null($user) || !$user->can('basic-data.create')) {
+                abort(403, 'Sorry! You are not allowed to create branches.');
+            }
+
             $validate = $request->validated();
 
             if ($validate) {
@@ -40,17 +60,35 @@
 
         public function create()
         {
+            // Check if the authenticated user has the required permission to create branches
+            $user = $this->getUser();
+            if (is_null($user) || !$user->can('basic-data.create')) {
+                abort(403, 'Sorry! You are not allowed to create branches.');
+            }
+
             return view('basicdata::branch.create');
         }
 
         public function edit($id)
         {
+            // Check if the authenticated user has the required permission to update branches
+            $user = $this->getUser();
+            if (is_null($user) || !$user->can('basic-data.update')) {
+                abort(403, 'Sorry! You are not allowed to update branches.');
+            }
+
             $branch = Branch::find($id);
             return view('basicdata::branch.create', compact('branch'));
         }
 
         public function update(BranchRequest $request, $id)
         {
+            // Check if the authenticated user has the required permission to update branches
+            $user = $this->getUser();
+            if (is_null($user) || !$user->can('basic-data.update')) {
+                abort(403, 'Sorry! You are not allowed to update branches.');
+            }
+
             $validate = $request->validated();
 
             if ($validate) {
@@ -71,28 +109,42 @@
 
         public function destroy($id)
         {
+            // Check if the authenticated user has the required permission to delete branches
+            $user = $this->getUser();
+            if (is_null($user) || !$user->can('basic-data.delete')) {
+                return response()->json(['success' => false, 'message' => 'Sorry! You are not allowed to delete branches.'], 403);
+            }
+
             try {
                 // Delete from database
                 $branch = Branch::find($id);
                 $branch->delete();
 
-                echo json_encode(['success' => true, 'message' => 'Branch deleted successfully']);
+                return response()->json(['success' => true, 'message' => 'Branch deleted successfully']);
             } catch (Exception $e) {
-                echo json_encode(['success' => false, 'message' => 'Failed to delete branch']);
+                return response()->json(['success' => false, 'message' => 'Failed to delete branch']);
             }
         }
 
         public function deleteMultiple(Request $request)
         {
+            // Check if the authenticated user has the required permission to delete branches
+            $user = $this->getUser();
+            if (is_null($user) || !$user->can('basic-data.delete')) {
+                return response()->json(['success' => false, 'message' => 'Sorry! You are not allowed to delete branches.'], 403);
+            }
+
             $ids = $request->input('ids');
             Branch::whereIn('id', $ids)->delete();
-            return response()->json(['message' => 'Branches deleted successfully']);
+            return response()->json(['success' => true, 'message' => 'Branches deleted successfully']);
         }
 
         public function dataForDatatables(Request $request)
         {
-            if (is_null($this->user) || !$this->user->can('branch.view')) {
-                //abort(403, 'Sorry! You are not allowed to view users.');
+            // Check if the authenticated user has the required permission to view branches
+            $user = $this->getUser();
+            if (is_null($user) || !$user->can('basic-data.read')) {
+                return response()->json(['success' => false, 'message' => 'Sorry! You are not allowed to view branches.'], 403);
             }
 
             // Retrieve data from the database
@@ -152,6 +204,12 @@
 
         public function export()
         {
+            // Check if the authenticated user has the required permission to export branches
+            $user = $this->getUser();
+            if (is_null($user) || !$user->can('basic-data.export')) {
+                abort(403, 'Sorry! You are not allowed to export branches.');
+            }
+
             return Excel::download(new BranchExport, 'branch.xlsx');
         }
     }
diff --git a/resources/views/branch/create.blade.php b/resources/views/branch/create.blade.php
index f9cb3b7..93dcfa5 100644
--- a/resources/views/branch/create.blade.php
+++ b/resources/views/branch/create.blade.php
@@ -47,9 +47,19 @@
                                     </div>
                                 </div>
                                 <div class="flex justify-end">
-                                    <button type="submit" class="btn btn-primary">
-                                        Save
-                                    </button>
+                                    @if(isset($branch->id))
+                                        @can('basic-data.update')
+                                        <button type="submit" class="btn btn-primary">
+                                            Save
+                                        </button>
+                                        @endcan
+                                    @else
+                                        @can('basic-data.create')
+                                        <button type="submit" class="btn btn-primary">
+                                            Save
+                                        </button>
+                                        @endcan
+                                    @endif
                                 </div>
                             </div>
                         </div>
diff --git a/resources/views/branch/index.blade.php b/resources/views/branch/index.blade.php
index 54e24d2..af36573 100644
--- a/resources/views/branch/index.blade.php
+++ b/resources/views/branch/index.blade.php
@@ -19,9 +19,15 @@
                     </div>
                     <div class="flex flex-wrap gap-2.5">
                         <div class="h-[24px] border border-r-gray-200"></div>
+                        @can('basic-data.export')
                         <a class="btn btn-sm btn-light" href="{{ route('basicdata.branch.export') }}"> Export to Excel </a>
+                        @endcan
+                        @can('basic-data.create')
                         <a class="btn btn-sm btn-primary" href="{{ route('basicdata.branch.create') }}"> Tambah Cabang </a>
+                        @endcan
+                        @can('basic-data.delete')
                         <button class="btn btn-sm btn-danger hidden" id="deleteSelected" onclick="deleteSelectedRows()">Delete Selected</button>
+                        @endcan
                     </div>
                 </div>
             </div>
@@ -165,14 +171,22 @@
                 actions: {
                     title: 'Status',
                     render: (item, data) => {
-                        return `<div class="flex flex-nowrap justify-center">
-                            <a class="btn btn-sm btn-icon btn-clear btn-info" href="basic-data/cabang/${data.id}/edit">
+                        let html = `<div class="flex flex-nowrap justify-center">`;
+
+                        @can('basic-data.update')
+                        html += `<a class="btn btn-sm btn-icon btn-clear btn-info" href="basic-data/cabang/${data.id}/edit">
                                 <i class="ki-outline ki-notepad-edit"></i>
-                            </a>
-                            <a onclick="deleteData(${data.id})" class="delete btn btn-sm btn-icon btn-clear btn-danger">
+                            </a>`;
+                        @endcan
+
+                        @can('basic-data.delete')
+                        html += `<a onclick="deleteData(${data.id})" class="delete btn btn-sm btn-icon btn-clear btn-danger">
                                 <i class="ki-outline ki-trash"></i>
-                            </a>
-                        </div>`;
+                            </a>`;
+                        @endcan
+
+                        html += `</div>`;
+                        return html;
                     },
                 }
             },
@@ -213,4 +227,3 @@
         window.dataTable = dataTable;
     </script>
 @endpush
-
diff --git a/tests/Feature/BranchControllerTest.php b/tests/Feature/BranchControllerTest.php
new file mode 100644
index 0000000..d6c4eb7
--- /dev/null
+++ b/tests/Feature/BranchControllerTest.php
@@ -0,0 +1,280 @@
+<?php
+
+namespace Modules\Basicdata\Tests\Feature;
+
+use Tests\TestCase;
+use Modules\Basicdata\Models\Branch;
+use Modules\Usermanagement\Models\User;
+use Modules\Usermanagement\Models\Role;
+use Modules\Usermanagement\Models\Permission;
+use Modules\Usermanagement\Models\PermissionGroup;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use PHPUnit\Framework\Attributes\Test;
+
+class BranchControllerTest extends TestCase
+{
+    use RefreshDatabase;
+
+    protected $user;
+    protected $adminRole;
+    protected $branch;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        // Create permission group first
+        $permissionGroup = PermissionGroup::create([
+            'name' => 'basic-data',
+            'slug' => 'basic-data'
+        ]);
+
+        // Create permissions with permission_group_id
+        Permission::create([
+            'name' => 'basic-data.create',
+            'guard_name' => 'web',
+            'permission_group_id' => $permissionGroup->id
+        ]);
+        Permission::create([
+            'name' => 'basic-data.read',
+            'guard_name' => 'web',
+            'permission_group_id' => $permissionGroup->id
+        ]);
+        Permission::create([
+            'name' => 'basic-data.update',
+            'guard_name' => 'web',
+            'permission_group_id' => $permissionGroup->id
+        ]);
+        Permission::create([
+            'name' => 'basic-data.delete',
+            'guard_name' => 'web',
+            'permission_group_id' => $permissionGroup->id
+        ]);
+        Permission::create([
+            'name' => 'basic-data.export',
+            'guard_name' => 'web',
+            'permission_group_id' => $permissionGroup->id
+        ]);
+
+        // Create admin role with all permissions
+        $this->adminRole = Role::create(['name' => 'admin', 'guard_name' => 'web']);
+        $this->adminRole->givePermissionTo(Permission::all());
+
+        // Create a user with admin role
+        $this->user = User::factory()->create();
+        $this->user->assignRole($this->adminRole);
+
+        // Create a branch for testing
+        $this->branch = Branch::create([
+            'code' => 'TEST',
+            'name' => 'Test Branch'
+        ]);
+    }
+
+    #[Test]
+    public function user_with_permission_can_view_branches_index()
+    {
+        $response = $this->actingAs($this->user)
+            ->get(route('basicdata.branch.index'));
+
+        $response->assertStatus(200);
+    }
+
+    #[Test]
+    public function user_without_permission_cannot_view_branches_index()
+    {
+        // Create a role without permissions
+        $role = Role::create(['name' => 'viewer', 'guard_name' => 'web']);
+
+        // Create a user with the viewer role
+        $user = User::factory()->create();
+        $user->assignRole($role);
+
+        $response = $this->actingAs($user)
+            ->get(route('basicdata.branch.index'));
+
+        $response->assertStatus(403);
+    }
+
+    #[Test]
+    public function user_with_permission_can_create_branch()
+    {
+        $response = $this->actingAs($this->user)
+            ->get(route('basicdata.branch.create'));
+
+        $response->assertStatus(200);
+    }
+
+    #[Test]
+    public function user_without_permission_cannot_create_branch()
+    {
+        // Create a role with only read permission
+        $role = Role::create(['name' => 'reader', 'guard_name' => 'web']);
+        $role->givePermissionTo('basic-data.read');
+
+        // Create a user with the reader role
+        $user = User::factory()->create();
+        $user->assignRole($role);
+
+        $response = $this->actingAs($user)
+            ->get(route('basicdata.branch.create'));
+
+        $response->assertStatus(403);
+    }
+
+    #[Test]
+    public function user_with_permission_can_store_branch()
+    {
+        $branchData = [
+            'code' => 'NEW',
+            'name' => 'New Branch'
+        ];
+
+        $response = $this->actingAs($this->user)
+            ->post(route('basicdata.branch.store'), $branchData);
+
+        $response->assertRedirect(route('basicdata.branch.index'));
+        $this->assertDatabaseHas('branches', $branchData);
+    }
+
+    #[Test]
+    public function user_without_permission_cannot_store_branch()
+    {
+        // Create a role with only read permission
+        $role = Role::create(['name' => 'reader', 'guard_name' => 'web']);
+        $role->givePermissionTo('basic-data.read');
+
+        // Create a user with the reader role
+        $user = User::factory()->create();
+        $user->assignRole($role);
+
+        $branchData = [
+            'code' => 'NEW',
+            'name' => 'New Branch'
+        ];
+
+        $response = $this->actingAs($user)
+            ->post(route('basicdata.branch.store'), $branchData);
+
+        $response->assertStatus(403);
+        $this->assertDatabaseMissing('branches', $branchData);
+    }
+
+    #[Test]
+    public function user_with_permission_can_edit_branch()
+    {
+        $response = $this->actingAs($this->user)
+            ->get(route('basicdata.branch.edit', $this->branch->id));
+
+        $response->assertStatus(200);
+    }
+
+    #[Test]
+    public function user_without_permission_cannot_edit_branch()
+    {
+        // Create a role with only read permission
+        $role = Role::create(['name' => 'reader', 'guard_name' => 'web']);
+        $role->givePermissionTo('basic-data.read');
+
+        // Create a user with the reader role
+        $user = User::factory()->create();
+        $user->assignRole($role);
+
+        $response = $this->actingAs($user)
+            ->get(route('basicdata.branch.edit', $this->branch->id));
+
+        $response->assertStatus(403);
+    }
+
+    #[Test]
+    public function user_with_permission_can_update_branch()
+    {
+        $updatedData = [
+            'code' => 'UPD',
+            'name' => 'Updated Branch'
+        ];
+
+        $response = $this->actingAs($this->user)
+            ->put(route('basicdata.branch.update', $this->branch->id), $updatedData);
+
+        $response->assertRedirect(route('basicdata.branch.index'));
+        $this->assertDatabaseHas('branches', $updatedData);
+    }
+
+    #[Test]
+    public function user_without_permission_cannot_update_branch()
+    {
+        // Create a role with only read permission
+        $role = Role::create(['name' => 'reader', 'guard_name' => 'web']);
+        $role->givePermissionTo('basic-data.read');
+
+        // Create a user with the reader role
+        $user = User::factory()->create();
+        $user->assignRole($role);
+
+        $updatedData = [
+            'code' => 'UPD',
+            'name' => 'Updated Branch'
+        ];
+
+        $response = $this->actingAs($user)
+            ->put(route('basicdata.branch.update', $this->branch->id), $updatedData);
+
+        $response->assertStatus(403);
+        $this->assertDatabaseMissing('branches', $updatedData);
+    }
+
+    #[Test]
+    public function user_with_permission_can_delete_branch()
+    {
+        $response = $this->actingAs($this->user)
+            ->delete(route('basicdata.branch.destroy', $this->branch->id));
+
+        $response->assertJson(['success' => true]);
+        $this->assertSoftDeleted($this->branch);
+    }
+
+    #[Test]
+    public function user_without_permission_cannot_delete_branch()
+    {
+        // Create a role with only read permission
+        $role = Role::create(['name' => 'reader', 'guard_name' => 'web']);
+        $role->givePermissionTo('basic-data.read');
+
+        // Create a user with the reader role
+        $user = User::factory()->create();
+        $user->assignRole($role);
+
+        $response = $this->actingAs($user)
+            ->delete(route('basicdata.branch.destroy', $this->branch->id));
+
+        $response->assertStatus(403);
+        $this->assertDatabaseHas('branches', ['id' => $this->branch->id, 'deleted_at' => null]);
+    }
+
+    #[Test]
+    public function user_with_permission_can_export_branches()
+    {
+        $response = $this->actingAs($this->user)
+            ->get(route('basicdata.branch.export'));
+
+        $response->assertStatus(200);
+    }
+
+    #[Test]
+    public function user_without_permission_cannot_export_branches()
+    {
+        // Create a role with only read permission
+        $role = Role::create(['name' => 'reader', 'guard_name' => 'web']);
+        $role->givePermissionTo('basic-data.read');
+
+        // Create a user with the reader role
+        $user = User::factory()->create();
+        $user->assignRole($role);
+
+        $response = $this->actingAs($user)
+            ->get(route('basicdata.branch.export'));
+
+        $response->assertStatus(403);
+    }
+}