Setting up a User to read Level 1 fields


I’m going to use REST API extensively, so I want to set up a User for this purpose.

Basically this User will be used in JS functions to retrieve data. I want this User to be able to read all docs of DocType User - meaning he can retrieve all other Users’ Level 1 fields only.

There are a number of new DocFields that are set to Level 1. All other DocFields are 0.

I have set up a new Role for this User, assigned User DocType, Level 1, Permissions as Read.

I wonder if I also have to use User Permissions. But then I’m stuck in the For Value field… this only accept 1 value. But I need to be able to access all Docs. Ended up I specified the User’s own name as value.

Calling api/resource/User I am able to retrieve all the “name” values:

So far so good.

Then I try to retrieve Level 1 fields of a particular user.

Calling api/resource/User?filters=[[“name",“=”,"”]]&fields=[“last_name”,“theme_no”,“idx”, “email”]


last_name = level 0
idx = level 0
email = level 0
theme_no = level 1

Strangely, all fields are returned. All values can be retrieved, which is not right! This creates a big loophole where it is possible for someone to use this account to retrieve all sort of Level 0 fields!

What am I missing in the setup?

frappe/ERPNext v13.49

My uneducated guess is that API won’t honour level X permission; only Desk access will?