Roles & Permission Manager, User Permissions

Frappe Framework
1

I have an application that I am building via Frappe framework and so far have created some doctypes and roles

Requirement:
If a user is assigned Society Admin role and creates a Society doctype record, a record is created in the Access Mapper doctype where the user is assigned Society Admin for the Society record.
In this case, another admin user say Admin Two should not be able to view the Society record created by Admin One.
Admin One can also create Flats under Society One and even they shouldnt be visible to Admin Two

How can I achieve this?

Current Implementation:

class Society(Document):

	def after_insert(self):
		"""
		Assign the creator as Society Admin in Society Role Mapper.

		Returns:

		"""
		user = frappe.session.user
		if not frappe.db.exists("Access Mapper", {"society": self.name, "user": user, "role": "Society Admin"}):
			user_permission = frappe.get_doc(
				{
					"doctype": "Access Mapper",
					"society": self.name,
					"user": user,
					"role": "Society Admin",
					"is_enabled": 1
				}
			)
			user_permission.insert(ignore_permissions=True)

class AccessMapper(Document):

	def validate(self):
		"""
		Ensure society, user and role combination is unique before insertion

		Returns:

		"""
		existing = frappe.db.exists(
			"Access Mapper",
			{
				"society": self.society,
				"user": self.user,
				"role": self.role
			}
		)
		if existing:
			frappe.throw(
				f"A record for this Society, User, and Role already exists: {existing}",
				DuplicateEntryError
			)

	def after_insert(self):
		"""
		Automatically assigns user permissions when a role is assigned in Access Mapper.
        Ensures that only assigned users can access their society.

		Returns:

		"""
		# Allow Society Admin & Society Manager to access their Society
		if self.role in ["Society Admin", "Society Manager"]:
			if not frappe.db.exists("User Permission", {"user": self.user, "allow": "Society", "for_value": self.society}):
				society_permission = frappe.get_doc(
					{
						"doctype": "User Permission",
						"user": self.user,
						"allow": "Society",
						"for_value": self.society
					}
				)
				society_permission.insert(ignore_permissions=True)

	def on_trash(self):
		"""
		Remove user permission when AccessMapper record is deleted

		Returns:

		"""
		frappe.db.delete(
			"User Permission",
			{
				"user": self.user,
				"allow": "Society",
				"for_value": self.society
			}
		)
		frappe.db.commit()
2

@dkothari You can achieve this by enabling Only if creator option from role permission manager as shown below:

Screenshot from 2025-03-19 10-49-25
Screenshot from 2025-03-19 10-49-251381×359 18.3 KB