diff --git a/src/controllers/user-controller.ts b/src/controllers/user-controller.ts
index caedd93..5cd044d 100644
--- a/src/controllers/user-controller.ts
+++ b/src/controllers/user-controller.ts
@@ -333,6 +333,23 @@ export class UserController extends Controller {
     if (user) {
       throw new HttpError(HttpStatus.BAD_REQUEST, "User exists.", "userExists");
     }
+
+    if (!["system", "head_of_admin", "admin"].some((v) => req.user.roles?.includes(v))) {
+      if (body.userRole in ["system", "head_of_admin", "admin"]) {
+        throw new HttpError(
+          HttpStatus.FORBIDDEN,
+          "You do not have permission to perform this action.",
+          "noPermission",
+        );
+      }
+      if (!req.user.roles.includes("branch_admin") && body.userRole === "branch_admin") {
+        throw new HttpError(
+          HttpStatus.FORBIDDEN,
+          "You do not have permission to perform this action.",
+          "noPermission",
+        );
+      }
+    }
     if (
       !["system", "head_of_admin", "admin"].some((v) => req.user.roles?.includes(v)) &&
       branch?.some((v) => !v.user.find((v) => v.userId === req.user.sub))