Managing Perm Level in Permission Manager
Perm Level in ERPNext is a means of managing the level of information that is editable or visible in a given DocType for specific user groups. While document-level permissions specify general access (Read, Write, Create, Submit, etc.) to a complete DocType, Perm Level allows more fine-grained control by imposing constraints at the level of particular fields or sections of a document.
Using Perm Levels, administrators can not only identify who is allowed to access a document type, but also what parts of the document (field groups, sections, or individual fields) can be read and/or edited by different roles.
Grouping Fields by Levels
Fields in both documents may also be grouped by assigning them a Permission Level number. The different groups of fields are given by different numbers (0, 1, 2, 3, etc.). There is then the possibility of defining a separate set of permission rules and using these per level.
- Default Behavior All fields in a document will be set to Permission Level 0, i.e. they will be visible and editable (subject to role-based permissions) unless one wishes to clearly lock them down.
- Customized Control: If there are certain fields that need to be locked down, you can associate them with a higher Permission Level (such as Level 1 or Level 2) and then specify who may view or edit these fields.
Field Permission Levels can be established using the Customize Form tool. Administrators can set field-level permissions without requiring code-level modifications.
Example Use Case
One of such use cases is that a Delivery Note remains visible to Stock Managers and Stock Users. The company would prefer to conceal information such as Amount that relate to finance from Stock Users in order to allow them to operate with information on stock.
- In all sensitive fields (ex. Amount), set their Perm Level to 2.
- Write design access rules so that Stock Managers have the Read/Write access to fields at Perm Level 2, but Stock Users have zero access in Perm Level 2 fields.
This guarantees:
- All the information (including financial values) is viewed and managed by Stock Managers.
- Stock Users see only operational information and concealed is sensitive information.
Read vs. Write Control
Perm Levels determine not just if a field is visible, but also if it can be edited.
- If a role is given Read access at a certain Permission Level, users in that role can view the field but not modify its value.
- If a role is given Write access at that Permission Level as well, they can view and edit the field.
For example:
- A Stock User might have Read-only access to a Perm Level 2 field, so they can look at financial totals but cannot change them.
- A Stock Manager may possess Read and Write access, which leaves him or her in complete control.
Flexible Numbering
The numbering of Permission Levels (1, 2, 3, etc.) is not required to be in a strict sequence or hierarchy. They are not ranked levels but mere identifiers for field grouping. For instance:
- You can apply "1" to financial fields, "2" to sensitive HR fields, and "3" to audit fields.
- You could also give "3, 1, 2" without any problem.
The key is consistency—applying the same Perm Level to fields that must fall under the same group of access rules.
Section-Level Control
If you'd rather have a Permission Level applied across an entire section rather than to separate fields, ERPNext makes it easy to set the Perm Level on the Section Break field itself. Once set, it automatically gets applied as the same level of all fields that are within that section.
Permissions can then be set more easily when multiple logical fields are grouped together (e.g. Employee Salary Information). Instead of individually setting the fields, Perm Level of the section gives it stable control.