Employee with Leave Approver role should not be able to submit his own Leave Application!?

I have set myself as a leave approver by assigning Leave Approver role so that i can submit leave approvals for some people who are working under me. Now i am also reporting to somebody who is above in the hierarchy.

So the issue is when i add a leave application for my self i am able to submit. I can submit my own leave application.

It should not be possible right ? I don’t want anybody to submit their own leave approval rather than his subordinates. How can i rectify this issue ??
Any kind of helps is much appreciated !!

The Role Permissions Manager page notes include this:

“Apart from System Manager, roles with Set User Permissions right can set permissions for other users for that Document Type.”

So the general BIG rule seems to be a User can not and should not be able change their own permissions.

The code and supporting tests (presumably!) enforce and validate that is the case!?


The docs propose an HR Manager or HR User to resolve the case of permission conflicts? Role Based Permissions

edit: FWIW like Google, Frappe follows this basic permissions model:

In the case of Google: “manage access control by defining who (identity) has what access (role) for which resource

In the case of Frappe: identify == User, role == Role and resource == DocType

To learn more best practice check out Google IAM docs

“Cloud IAM lets you grant granular access to specific Google Cloud resources and helps prevent access to other resources. Cloud IAM lets you adopt the security principle of least privilege, where you grant only necessary permissions to access specific resources.”

Probably one key to the principle of least privilege POLP, is a consistent convention you opt to use? Say whether you to add/grant or deny/restrict privilege to avoid access chaos?

From Above reply the second point is correct (other mentioned points are also correct).Just addition to this as you have leave approver role assigned therefore you can submit your leave application (According to erpnext logic perspective) & you can restrict it by customizing it .

@kaustubhd now i got it. i know i can submit because i’m having Leave Approver role. I want to restrict approving my own leave application with having Leave Approver role. how i can customize it for acheiving this ?

@rajeeb , I have regret that I am not able to provide you the solution on how to customize it because I am black box tester , I can share my knowledge , logic & understanding of erpnext. you will get appropriate solution by respective developer only.

Hi, @rajeeb Have you got any solution for this? as I am facing the same issue

@rajeeb @Shwetang_Dalvi @clarkej @kaustubhd Did you find the solution