to select ↑↓ to navigate
ERPNext

ERPNext

eInvoicing eInvoicing ERPNext ERPNext Frappe Ecosystem Frappe Ecosystem Frappe Framework Frappe Framework Wiki Digital Signing Digital Signing
EN NL
Edit
Open in ChatGPT
Ask ChatGPT about this page
Open in Claude
Ask Claude about this page

Users and Roles

Users and Roles

Users are the people who log into ERPNext. Roles control what they can do.

Add a new user

User → New:

Field What
Email Login email — also serves as username
First / Last Name Display name
User Type "System User" for staff; "Website User" for portal-only access
Send Welcome Email Yes — they get a password-reset link
Enabled Yes (uncheck to disable login without deleting)

Assign roles

In the Roles section, tick all roles this user needs:

Common role What it grants
System Manager Full access — only for admins
Accounts Manager Accounting, invoicing, payments
Sales Manager / Sales User Customers, quotations, sales orders, invoices
Purchase Manager / Purchase User Suppliers, purchase orders, invoices
Stock Manager / Stock User Items, warehouses, stock entries
Item Manager Item master data
Customer / Supplier Portal access (for external users)
Signer Digital signing — see Digital Signing

Save — the user can now log in with the email + their chosen password.

Roles vs Permissions

A role like "Accounts Manager" comes with built-in permissions on a set of DocTypes — read, write, submit, cancel, etc.

For fine-tuned control:

  • Role Permissions Manager lets you tune what each role can do per DocType
  • User Permissions restrict a specific user to specific records (e.g., only their own customer)

For most setups, the default roles are sufficient. Avoid creating one role per user.

Role Profiles

If many users need the same set of roles, create a Role Profile bundling them:

  1. Role Profile → New — name it (e.g., "Sales Staff")
  2. Add the roles
  3. On each user, set Role Profile = "Sales Staff"

Onboarding a new sales person: create the user, pick the Role Profile, done.

Module Profiles

Similarly, Module Profiles control which modules (Selling, Buying, Accounting…) a user sees on their dashboard. Useful for keeping the interface focused per user type.

Restricting access to specific records

The Sales Manager can normally see all customers. To restrict a user to only their own customers:

  1. Open the User → User Permissions section
  2. Add: Allow = Customer, For Value = [specific customer or sales person link]
  3. Save

The user can now only access customers matching the filter. Useful for territory-based sales teams.

Two-factor authentication (2FA)

For sensitive roles (System Manager, Accounts Manager), enable 2FA:

System Settings → Enable Two Factor Authentication.

Per role, Two Factor Auth can be enforced — Signer, Accounts Manager, System Manager are good candidates.

Disabling vs deleting users

When someone leaves:

  • Enabled = No — they can't log in, history preserved
  • Don't delete — orphans all their actions (created records, comments)

Reassign their open assignments to another user before disabling.

Common situations

  • Bookkeeper with read-only access — create a custom role with read on Accounts but no write
  • Customer staff using portal only — User Type = Website User, role = Customer
  • Temporary contractor — Enabled = Yes during the engagement; uncheck on their last day
  • API access — generate an API Key on the user's record; restrict by role
Last updated 3 days ago
Was this helpful?
Thanks!