Restrict employee Write permission to only their own profile?

sakuyii · December 24, 2025, 4:25pm

Hi there,

I would like my employees to have access to update their own profiles but only Read access on other employees’ profiles.

First, I remove the “User permission” so that employee A can see the Employee list with all other employees.

Now, if I go to Roles Permission Manager > Doctype: Employee > Enable Employee Write access, they are able to make changes to their own profile as well as other people’s profiles.

Question 1: How can I enable Write access to their own profile but only Read access to other’s?

I also want to hide sensitive information that Employee A cannot see from Employee B, but can see their own sensitive information - like address or phone number.

I can customize the fields in the Employee page and adjust the perm levels but an employee-level user will not be able to see those fields on their OWN page.

Question 2: How can an employee see all fields in their own profile but hide sensitive information in other employee’s profiles?

asieftejani · December 25, 2025, 6:11am

Hello and welcome to the ERPNext community

In the doctype permission settings there is a tickbox - if owner
I am not sure about this one - lets wait for others to reply

Hemil_Sangani · December 26, 2025, 10:09am

To not Allow employee to modify Other employees details You Can use has_permission like below
Write This in Your App Hook File

has_permission = {
    "Employee": "path of your file"
}

And Below is A Function For Reference

def employee_has_permission(doc, user, permission_type):
    if permission_type == "read":
        return True  # See all employees
    
    if permission_type == "write":
        # Write only if it's their own profile
        current_employee = frappe.db.get_value("Employee", {"user_id": user}, "name")
        return doc.name == current_employee
    
    return False

And For Hidiing Sensitive Fields, you can use Client Script

sakuyii · January 6, 2026, 6:48pm

Thanks Hemil for the script!

Can you help me with the Client Script part? I’m not technical and I’m not sure what you mean or what I need to do.

Thank you!

Hemil_Sangani · January 8, 2026, 4:53am

Below is Sample Script Make Changes as per your need

frappe.ui.form.on('Employee', {
    refresh(frm) {
        hide_sensitive_fields(frm);
    },
    onload(frm) {
        hide_sensitive_fields(frm);
    }
});

async function hide_sensitive_fields(frm) {
    // Sensitive fields list
    const sensitive_fields = [
        'ctc', 'pan_number'
    ];
    
    try {
        // Async get current user's Employee
        const result = await frappe.db.get_value('Employee', 
            {user_id: frappe.session.user}, 'name'
        );
        const user_employee = result.message?.name;
        const user_roles = frappe.user_roles;
        // Hide if not own profile and not Administrator and not System Manager
        if (frm.doc.name !== user_employee && frappe.session.user !== "Administrator" && !user_roles.includes("System Manager")) {
            sensitive_fields.forEach(field => {
                if (frm.fields_dict[field]) {
                    frm.toggle_display(field, false);
                }
            });
            
        }
    } catch (error) {
        console.log('Permission check failed:', error);
        // Default: hide sensitive fields on error
    }
}