diff --git a/src/controllers/user-controller.ts b/src/controllers/user-controller.ts
index 5cd044d..c663a02 100644
--- a/src/controllers/user-controller.ts
+++ b/src/controllers/user-controller.ts
@@ -503,6 +503,25 @@ export class UserController extends Controller {
         "minimumBranchNotMet",
       );
     }
+    if (
+      body.userRole &&
+      !["system", "head_of_admin", "admin"].some((v) => req.user.roles?.includes(v))
+    ) {
+      if (body.userRole in ["system", "head_of_admin", "admin"]) {
+        throw new HttpError(
+          HttpStatus.FORBIDDEN,
+          "You do not have permission to perform this action.",
+          "noPermission",
+        );
+      }
+      if (!req.user.roles.includes("branch_admin") && body.userRole === "branch_admin") {
+        throw new HttpError(
+          HttpStatus.FORBIDDEN,
+          "You do not have permission to perform this action.",
+          "noPermission",
+        );
+      }
+    }
     if (
       !["system", "head_of_admin", "admin"].some((v) => req.user.roles?.includes(v)) &&
       branch?.some((v) => !v.user.find((v) => v.userId === req.user.sub))