Permission at Level 0 Must Be Set Before Higher Levels
While configuring permissions in the Role Permission Manager, you may encounter the following validation error:
For System Manager (or another role) at level 2 (or another level) in Customer (or another document) in row X: Permission at level 0 must be set before higher levels are set.
This error indicates that a role has been granted permissions at a higher Permission Level (Perm Level 1, 2, 3, etc.) without having the required permissions configured at Perm Level 0.
WHY THIS HAPPENS
ERPNext requires every permission hierarchy to start at Perm Level 0. Higher permission levels can only be assigned when the same role already has access defined at Level 0.
Understanding Permission Levels
Permission Levels allow organizations to control access to specific fields within a document.
For example:
- Perm Level 0 – Standard document access.
- Perm Level 1 – Additional fields visible only to specific roles.
- Perm Level 2+ – Advanced access control for sensitive information.
ERPNext validates this hierarchy to ensure permissions remain consistent and secure.
Example Scenario
Suppose the System Manager role has:
- Read access at Perm Level 2
- Write access at Perm Level 2
but no permissions at Perm Level 0.
In this case, ERPNext will reject the configuration and display the validation error because higher-level permissions cannot exist without a base-level permission rule.
How to Fix the Error
You can resolve the issue using either of the following methods.
Option 1: Add Permission at Level 0
Grant the required permissions for the role at Perm Level 0.
Steps:
- Open the Role Permission Manager.
- Select the affected Document Type.
- Locate the role mentioned in the error message.
- Create or update a permission rule at Perm Level 0.
- Save the changes.
This is the recommended approach when the role genuinely requires access to higher permission levels.
Option 2: Remove Higher-Level Permissions
If the role should not have advanced access, remove the permissions assigned at higher levels.
Steps:
- Open the Role Permission Manager.
- Select the affected Document Type.
- Locate permission rules at Perm Level 1, 2, or higher.
- Delete the unnecessary permission entries.
- Save the document.
Validation Rule in ERPNext
ERPNext follows a simple permission hierarchy:
Perm Level 0
↓
Perm Level 1
↓
Perm Level 2
↓
Perm Level 3+
A role cannot receive permissions at a higher level unless access is already defined at the lower levels.
Best Practices
- Always configure base permissions at Perm Level 0 first.
- Use higher permission levels only for sensitive fields.
- Review existing permission rules before adding new ones.
- Keep permission hierarchies simple and easy to audit.
SUMMARY
This error occurs when a role has permissions assigned at a higher Permission Level without having a corresponding permission rule at Perm Level 0. To resolve it, either grant the role access at Level 0 or remove the higher-level permissions that depend on it.
Related Topics
- Role Permission Manager
- Role Based Permissions
- User Permissions
- Permission Levels
- Customize Form
- Field-Level Security
