ERPNext 15 (Docker) - New User With No Role Permissions Still Accessing Reports & Workspace

ERPNext
, , , ,
1

Hi everyone,

I’m running ERPNext v15 deployed using the official Docker-based setup with pwd.yml, and I’m facing a serious access control issue. Despite multiple combinations of role and permission configurations, newly created users are still able to access parts of the system they shouldn’t.

Environment:

ERPNext Version: v15 (Docker image frappe/erpnext:v15.55.4)

Installed via: pwd.yml Docker Compose setup

Site name: drhcare.local

Access via: http://:8080

The Problem:

I created a new user (Riyaz) and assigned a custom role which has no DocTypes assigned in Role Permissions Manager.

Despite this, the user is still able to:

Access /app/report

Access /app/workspace

See “Workspace List”

See default reports

Even edit or create new Workspaces (in some combinations)

This is without:

Any Desk User role (disabled)

Any “All” or “System Manager” role

Desk User role (explicitly disabled)

Any Module access

No “Allow Modules” are selected in the user profile

No Doctype access given in Role Permissions Manager

No special User Permissions applied

What I Tried:

  1. Disabled Desk User and “All” roles , removed desk access from user role named ‘all’ still issue is same.

Confirmed they were not checked or auto-included.

  1. Created a completely new role with zero Doctype permissions.

  2. Assigned that role to the new user – still accessible /app/report and /app/workspace.

  3. Disabled Desk User in Role Permissions Manager for Workspace and Reports.

  4. Removed all Workspace-related permissions for all roles except system manager.

  5. Enabled Apply Strict User Permissions in System Settings.

  6. Restarted Docker containers using:

docker compose -f pwd.yml down -v
docker compose -f pwd.yml up -d

  1. Confirmed user type is “System User”, not Website User.

  2. Tried assigning and unassigning “Selling” and other modules.

  3. Also tested disabling “Is Desk Access” on roles.

Expected Behavior:

If a user has a role that does not include access to any Doctype, they should not be able to:

Access workspace list

Access reports

Create/edit dashboards

See any data

Actual Behavior:

The user is getting access to these areas even with zero explicitly granted permissions.

My Request:

Can anyone from the community or core team help clarify:

Is this a known bug or design behavior in v15?

Is there a workaround to make all DocTypes restricted by default unless explicitly allowed?

Is there any hidden default behavior related to internal roles like “All”, “Desk User”, etc. that override our configs?

Also, if anyone has written a script to wipe all default permissions and start from a clean slate, I’d love to see it.

Thank you! This is a critical blocker for deploying ERPNext in a controlled, multi-user production environment.
,