Skip to main content

Role Based Permissions

Role Based Permissions allow administrators to control access to documents and actions in ERPNext by assigning permissions to roles. Users inherit permissions through their assigned roles, ensuring secure and structured access to business data.

The Role Permissions Manager provides a centralized way to define which roles can create, view, edit, submit, cancel, or delete specific document types.

1. Accessing Role Permissions Manager

To configure role-based permissions, navigate to:

Home > Users and Permissions > Role Permissions Manager

From this screen, administrators can manage permissions for each DocType and role combination.

2. Permission Components

Role Based Permissions are configured using several key components.

Roles

Permissions are assigned to roles rather than individual users.

Examples include:

  • Employee
  • HR User
  • HR Manager
  • Accounts Manager
  • Sales User

Users receive permissions based on the roles assigned to them.

Document Types

Permissions are defined separately for each DocType.

Examples include:

  • Leave Application
  • Sales Invoice
  • Stock Entry
  • Expense Claim

Each DocType can have its own permission structure.

Permission Levels

Fields within a document can be grouped into Permission Levels ranging from 0 to 9.

  • Level 0 is the default permission level.
  • Higher levels can be used to restrict access to sensitive fields.
  • Permissions can be configured independently for each level.

Permission Levels allow administrators to control access to specific fields without restricting access to the entire document.

Document Stages

Permissions can be granted for different document actions, including:

  • Read
  • Write
  • Create
  • Delete
  • Submit
  • Cancel
  • Amend
  • Print
  • Email
  • Import
  • Export
  • Report Access
  • Set User Permissions

User Permissions

User Permissions provide record-level restrictions within a DocType.

Examples:

  • Restrict a Sales User to a specific Territory.
  • Restrict an Employee to their own Leave Applications.
  • Restrict a Manager to records belonging to their team.

User Permissions also apply automatically through linked fields and related documents.

3. Adding Permission Rules

To create a new permission rule:

  1. Open the Role Permissions Manager.
  2. Select the required DocType.
  3. Click Add a New Rule.
  4. Select the Role.
  5. Choose the Permission Level.
  6. Configure the required permissions.
  7. Save the changes.

Multiple permission rules can be created for the same DocType using different roles and permission levels.

4. Example: Leave Application Permissions

Leave Application is a common example that demonstrates how Role Based Permissions work in ERPNext.

Employee Access

Employees should be able to:

  • Create Leave Applications.
  • View their own Leave Applications.
  • Edit their own draft applications.

Required permissions:

  • Read
  • Write
  • Create

To prevent employees from accessing other employees’ leave records, create User Permissions linking each User to their Employee record.

Select-Only Access

In some situations, users should be able to select a document in a Link field without having access to open or view the document itself.

For such cases, grant:

  • Select Permission

without providing Read access.

HR Manager Access

HR Managers typically require visibility across all leave records.

Recommended permissions:

  • Read
  • Submit
  • Cancel

Disable “Apply User Permissions” to provide access to all Leave Applications.

Leave Approver Access

Leave Approvers should be able to review and update leave requests submitted by employees reporting to them.

Recommended permissions:

  • Read
  • Write
  • Submit

Enable:

  • Apply User Permissions

This ensures Leave Approvers only see records belonging to employees under their supervision.

Approval and Rejection Control

The Status field of a Leave Application can be assigned to a higher Permission Level.

For example:

  • Status Field → Permission Level 1

Grant Level 1 Write access only to:

  • HR User
  • Leave Approver

All other users should have read-only access.

This ensures only authorized personnel can approve or reject leave requests.

Delegating Access

HR Users can be allowed to create and manage User Permissions for other users.

Enable the following permission:

  • Set User Permissions

This allows HR users to delegate document access without requiring System Manager privileges.

5. Best Practices

  • Assign permissions through roles instead of individual users whenever possible.
  • Use User Permissions for record-level restrictions.
  • Use Permission Levels to secure sensitive fields.
  • Enable Apply User Permissions only when restricted access is required.
  • Review permission rules regularly to maintain security and compliance.

IMPORTANT

If users continue to encounter permission errors after role assignment, verify both Role Permissions and User Permissions, as access restrictions can be enforced at either level.

Related Topics

  • User Permissions
  • Role Profiles
  • Permission Levels
  • Role Permission for Pages and Reports
  • Employee Hierarchy Permissions

SUMMARY

Role Based Permissions in ERPNext allow administrators to control document access, actions, and field-level visibility through roles. Combined with User Permissions and Permission Levels, they provide a flexible and secure framework for managing access across the organization.

Rating: 0 / 5 (0 votes)

© 2026 | goERPNext | All rights reserved