I’m currently working with Frappe v15 for a school system project and still learning as I go. I’ve been exploring how Role Permissions and User Permissions work together, and I noticed something that I’m not sure is expected behavior:
When I assign a new Role to a user that should give them broader access to a Doctype (like all records), it doesn’t seem to take effect if that user already has a User Permission set (like access to just one record). The system still respects the User Permission and I have to manually delete it before the new Role access works.
Is this how it’s supposed to work?
Should User Permissions always take priority?
Is there a cleaner way to update or override them when assigning new Roles?
Appreciate any insights! I’m still getting used to the way permissions behave in Frappe.
Short answer: yes, that’s how it is supposed to work.
Longer answer: The design of User Permissions is, in my opinion, dangerous, and they should generally be avoided if at all possible. If you absolutely need them, make sure the data you need is highly sensitive and audit your settings frequently.
As someone who’s still learning Frappe, this helped me understand the risks behind User Permissions more clearly. I didn’t realize the system worked that way, especially how it defaults to full access unless explicitly restricted.
Your explanation makes a lot of sense, and I can see why it can be risky if something silently fails. I really appreciate the time you took to break it down, especially the difference between additive and subtractive permission models.
Looking forward to seeing where this discussion goes. I’ll definitely keep this in mind as I continue learning and working on our Management system.
I’m still getting used to the way permissions behave in Frappe.