diff --git a/mo/db.py b/mo/db.py
index 8794e71534d095c6e15a1ebf24a19adde424da16..f5d4bb32f37e86104b559fb9492f0099e273a0b8 100644
--- a/mo/db.py
+++ b/mo/db.py
@@ -549,6 +549,18 @@ class UserRole(Base):
                 and (self.category is None or cat is None or self.category == cat or (self.category == 'Z' and cat.startswith('Z')))
                 and (self.seq is None or seq is None or self.seq == seq))
 
+    def is_legal(self) -> bool:
+        # Některé role mají omezení na úroveň hierarchie.
+        level = self.place.level if self.place else -1
+        rt = self.role
+        if not (rt == RoleType.garant and level <= 0
+                or rt == RoleType.garant_kraj and level == 1
+                or rt == RoleType.garant_okres and level == 2
+                or rt == RoleType.garant_skola and level >= 3):
+            return False
+
+        return True
+
 
 class PaperType(MOEnum):
     solution = auto()
diff --git a/mo/web/org_users.py b/mo/web/org_users.py
index 7d9628d70daf486af54ce6219539f3c7223de8d3..11d56053ec4a0de98df69128e45dfdb0d1597d89 100644
--- a/mo/web/org_users.py
+++ b/mo/web/org_users.py
@@ -289,6 +289,10 @@ def org_org(id: int):
 
             ok = True
 
+            if not new_role.is_legal():
+                role_errors.append('Tato kombinace role a místa není povolena')
+                ok = False
+            elif not g.gatekeeper.can_set_role(new_role):
                 role_errors.append(f'Roli "{new_role}" nelze přidělit, není podmnožinou žádné vaší role')
                 ok = False