Document permissions based on field values

I am trying to create a role-level permission for viewing Purchase Invoices based on the value of certain fields.

Here is the underlying problem:
We have a situation where there will be purchases made from employee-specific suppliers of employee-specific items. These invoices should not be visible to all other employees. They should only be visible to the employee who submitted the invoice, and the General Manager. I have created Supplier Groups and Item Groups for each employee and created permissions based on these groups that link to the specific employee. So far, so good: each employee can only see their own items and suppliers. But when an employee submits a purchase invoice, all other employees can see it regardless of the mentioned supplier or items within the invoice.

So I have two somewhat (perhaps redundant) questions:

1: It appears that each doctype only has certain fields that are filtered for permissions. For example, Purchase Invoices can be filtered by permission based on Account, but not by Supplier. Is there a way to reference the Supplier field when permissions are calculated?

2: Is there a way to limit access to specific documents based on any custom field value? Under User Permissions, I am able to enable access to individual instances of a document. I don’t want to have to do this manually for every Invoice that is created. Is there a way to enable (or restrict) access of a document based on the value of a field?

Thank you for your help.

1 Like

I am also interested in this use case.
Did you find any answer?

Did you have found any solution? This problem is also actual even today…

Try this app Frappe Permission
I think it will help, but unfortunately, I didn’t have time to make documentation for it
If you need any help with this app, feel free to contact me


Thank you @youssef !

I think your module is great contribution to community!

I will contact you if I need some help.

Thank for the great contribution!!

We tried to use it, but we are getting error while saving the permission rule.

Screenshot is attached below

below is the complete error log

### App Versions
	"erpnext": "14.6.0",
	"frappe": "14.14.3",
	"hrms": "1.0.0",
	"payments": "0.0.1",
	"permission": "1.0.0",
	"real_estate_dubai": "0.0.1",
	"whitelabel": "0.0.1"

### Route

Form/Permission Rule/new-permission-rule-1

### Trackeback

Traceback (most recent call last):
  File "apps/frappe/frappe/", line 69, in application
    response = frappe.api.handle()
  File "apps/frappe/frappe/", line 54, in handle
    return frappe.handler.handle()
  File "apps/frappe/frappe/", line 45, in handle
    data = execute_cmd(cmd)
  File "apps/frappe/frappe/", line 83, in execute_cmd
    return, **frappe.form_dict)
  File "apps/frappe/frappe/", line 1585, in call
    return fn(*args, **newargs)
  File "apps/frappe/frappe/desk/form/", line 23, in savedocs
  File "apps/frappe/frappe/model/", line 303, in save
    return self._save(*args, **kwargs)
  File "apps/frappe/frappe/model/", line 325, in _save
    return self.insert()
  File "apps/frappe/frappe/model/", line 257, in insert
  File "apps/frappe/frappe/model/", line 1038, in run_before_save_methods
  File "apps/frappe/frappe/model/", line 907, in run_method
    out = Document.hook(fn)(self, *args, **kwargs)
  File "apps/frappe/frappe/model/", line 1256, in composer
    return composed(self, method, *args, **kwargs)
  File "apps/frappe/frappe/model/", line 1238, in runner
    add_to_return_value(self, fn(self, *args, **kwargs))
  File "apps/frappe/frappe/model/", line 904, in fn
    return method_object(*args, **kwargs)
  File "apps/permission/permission/permission/doctype/permission_rule/", line 13, in validate
  File "apps/permission/permission/permission/doctype/permission_rule/", line 49, in controle_disabled
    if self.disabled != old_doc.disabled:
AttributeError: 'NoneType' object has no attribute 'disabled'

### Request Data

	"type": "POST",
	"args": {
		"doc": "{\"docstatus\":0,\"doctype\":\"Permission Rule\",\"name\":\"new-permission-rule-1\",\"__islocal\":1,\"__unsaved\":1,\"owner\":\"Administrator\",\"disabled\":0,\"doctypes\":[{\"docstatus\":0,\"doctype\":\"Permission Rule Doctypes\",\"name\":\"new-permission-rule-doctypes-1\",\"__islocal\":1,\"__unsaved\":1,\"owner\":\"Administrator\",\"share\":1,\"permission\":1,\"assign\":0,\"parent\":\"new-permission-rule-1\",\"parentfield\":\"doctypes\",\"parenttype\":\"Permission Rule\",\"idx\":1,\"doctype_name\":\"Unit\",\"field\":\"permission_detail\"}],\"users\":[{\"docstatus\":0,\"doctype\":\"Permission Rule Users\",\"name\":\"new-permission-rule-users-1\",\"__islocal\":1,\"__unsaved\":1,\"owner\":\"Administrator\",\"parent\":\"new-permission-rule-1\",\"parentfield\":\"users\",\"parenttype\":\"Permission Rule\",\"idx\":1,\"user_name\":\"Kittu Chechani\",\"user\":\"\"}],\"title\":\"Assign Units to Broker\"}",
		"action": "Save"
	"btn": {
		"jQuery360087038004038523261": {
			"events": {
				"click": [
						"type": "click",
						"origType": "click",
						"guid": 969,
						"namespace": ""
	"freeze": true,
	"headers": {},
	"error_handlers": {},
	"url": "/api/method/"

### Response Data

	"exception": "AttributeError: 'NoneType' object has no attribute 'disabled'"

You should create Table MultiSelect custom field with the name of your choice in your Doctype and put in the options “Permission Detail” then you can use that field to control permissions

I already did that