diff --git a/src/controllers/user-controller.ts b/src/controllers/user-controller.ts
index a257b09..6c0963a 100644
--- a/src/controllers/user-controller.ts
+++ b/src/controllers/user-controller.ts
@@ -36,6 +36,9 @@ if (!process.env.MINIO_BUCKET) {
 const MINIO_BUCKET = process.env.MINIO_BUCKET;
 const MANAGE_ROLES = ["system", "head_of_admin", "admin", "branch_manager"];
 
+function isSystem(user: RequestWithUser["user"]) {
+  return user.roles.includes("system");
+}
 function globalAllow(user: RequestWithUser["user"]) {
   const listAllowed = ["system", "head_of_admin"];
   return user.roles?.some((v) => listAllowed.includes(v)) || false;
@@ -346,21 +349,18 @@ export class UserController extends Controller {
       throw new HttpError(HttpStatus.BAD_REQUEST, "User exists.", "userExists");
     }
 
-    const roleSetIndex = MANAGE_ROLES.findIndex((v) => v === body.userRole);
+    const setRoleIndex = MANAGE_ROLES.findIndex((v) => v === body.userRole);
+    const userRoleIndex = MANAGE_ROLES.reduce(
+      (a, c, i) => (req.user.roles?.includes(c) ? i : a),
+      -1,
+    );
 
     const THROW_PERM_MSG = "You do not have permission to perform this action.";
     const THROW_PERM_CODE = "noPermission";
 
-    if (roleSetIndex !== -1 && roleSetIndex < 1) {
+    if (setRoleIndex < userRoleIndex) {
       throw new HttpError(HttpStatus.FORBIDDEN, THROW_PERM_MSG, THROW_PERM_CODE);
     }
-    if (roleSetIndex !== -1 && roleSetIndex < 2 && !req.user.roles?.includes("head_of_admin")) {
-      throw new HttpError(HttpStatus.FORBIDDEN, THROW_PERM_MSG, THROW_PERM_CODE);
-    }
-    if (roleSetIndex !== -1 && roleSetIndex < 3 && !req.user.roles?.includes("admin")) {
-      throw new HttpError(HttpStatus.FORBIDDEN, THROW_PERM_MSG, THROW_PERM_CODE);
-    }
-
     if (!globalAllow(req.user)) {
       if (branch.some((v) => !v.user.find((v) => v.userId === req.user.sub))) {
         throw new HttpError(HttpStatus.FORBIDDEN, THROW_PERM_MSG, THROW_PERM_CODE);
@@ -506,21 +506,18 @@ export class UserController extends Controller {
         "minimumBranchNotMet",
       );
     }
-    const roleSetIndex = MANAGE_ROLES.findIndex((v) => v === body.userRole);
+    const setRoleIndex = MANAGE_ROLES.findIndex((v) => v === body.userRole);
+    const userRoleIndex = MANAGE_ROLES.reduce(
+      (a, c, i) => (req.user.roles?.includes(c) ? i : a),
+      -1,
+    );
 
     const THROW_PERM_MSG = "You do not have permission to perform this action.";
     const THROW_PERM_CODE = "noPermission";
 
-    if (roleSetIndex !== -1 && roleSetIndex < 1) {
+    if (setRoleIndex < userRoleIndex) {
       throw new HttpError(HttpStatus.FORBIDDEN, THROW_PERM_MSG, THROW_PERM_CODE);
     }
-    if (roleSetIndex !== -1 && roleSetIndex < 2 && !req.user.roles?.includes("head_of_admin")) {
-      throw new HttpError(HttpStatus.FORBIDDEN, THROW_PERM_MSG, THROW_PERM_CODE);
-    }
-    if (roleSetIndex !== -1 && roleSetIndex < 3 && !req.user.roles?.includes("admin")) {
-      throw new HttpError(HttpStatus.FORBIDDEN, THROW_PERM_MSG, THROW_PERM_CODE);
-    }
-
     if (!globalAllow(req.user)) {
       if (branch.some((v) => !v.user.find((v) => v.userId === req.user.sub))) {
         throw new HttpError(HttpStatus.FORBIDDEN, THROW_PERM_MSG, THROW_PERM_CODE);