diff --git a/workflow/engine/src/ProcessMaker/BusinessModel/Cases.php b/workflow/engine/src/ProcessMaker/BusinessModel/Cases.php
index 1beae7595..bc079ecc8 100644
--- a/workflow/engine/src/ProcessMaker/BusinessModel/Cases.php
+++ b/workflow/engine/src/ProcessMaker/BusinessModel/Cases.php
@@ -85,6 +85,12 @@ class Cases
             Validator::usrUid($dataList["userId"], "userId");
         }
 
+        $user = new \ProcessMaker\BusinessModel\User();
+
+        if (!$user->checkPermission($dataList["userId"], "PM_ALLCASES")) {
+            throw new \Exception(\G::LoadTranslation("ID_CASE_USER_NOT_HAVE_PERMISSION", array($dataList["userId"])));
+        }
+
         G::LoadClass("applications");
         $solrEnabled = false;
         $userUid = $dataList["userId"];
@@ -755,7 +761,7 @@ class Cases
         $arrayProcess = $appCacheView->getProUidSupervisor($usr_uid);
 
         $criteria = new \Criteria("workflow");
-        
+
         $criteria->addSelectColumn(\AppDelegationPeer::APP_UID);
         $criteria->add(\AppDelegationPeer::APP_UID, $app_uid, \Criteria::EQUAL);
         $criteria->add(\AppDelegationPeer::DEL_INDEX, $del_index, \Criteria::EQUAL);
diff --git a/workflow/engine/src/ProcessMaker/BusinessModel/User.php b/workflow/engine/src/ProcessMaker/BusinessModel/User.php
index ba9730fe7..a81d6c88c 100644
--- a/workflow/engine/src/ProcessMaker/BusinessModel/User.php
+++ b/workflow/engine/src/ProcessMaker/BusinessModel/User.php
@@ -336,10 +336,10 @@ class User
             //Get Calendar
             $calendar = new \Calendar();
             $calendarInfo = $calendar->getCalendarFor( $record["USR_UID"], "", "" );
-            $aFields["USR_CALENDAR_UID"] = ($calendarInfo["CALENDAR_APPLIED"] != "DEFAULT") ? $calendarInfo["CALENDAR_UID"] : ""; 
+            $aFields["USR_CALENDAR_UID"] = ($calendarInfo["CALENDAR_APPLIED"] != "DEFAULT") ? $calendarInfo["CALENDAR_UID"] : "";
             $aFields["USR_CALENDAR"] = ($aFields["USR_CALENDAR_UID"] != "") ? $calendar->calendarName( $aFields["USR_CALENDAR_UID"] ) : $aFields["USR_CALENDAR_UID"];
 
-            //Get photo 
+            //Get photo
             $pathPhotoUser = PATH_IMAGES_ENVIRONMENT_USERS . $record["USR_UID"] . ".gif";
             if (! file_exists( $pathPhotoUser )) {
                 $pathPhotoUser = PATH_HOME . "public_html" . PATH_SEP . "images" . PATH_SEP . "user.gif";
@@ -1116,4 +1116,33 @@ class User
             throw $e;
         }
     }
+
+    /**
+     * Check permission
+     *
+     * @param string $userUid        Unique uid of User
+     * @param string $permissionCode Permission code
+     *
+     * return bool
+     */
+    public function checkPermission($userUid, $permissionCode)
+    {
+        try {
+            $flagPermission = false;
+
+            $arrayUserRolePermission = $this->loadUserRolePermission("PROCESSMAKER", $userUid);
+
+            foreach ($arrayUserRolePermission as $value) {
+                if ($value["PER_CODE"] == $permissionCode) {
+                    $flagPermission = true;
+                    break;
+                }
+            }
+
+            //Return
+            return $flagPermission;
+        } catch (\Exception $e) {
+            throw $e;
+        }
+    }
 }