diff --git a/mo/db.py b/mo/db.py
index 000d01ca6fd196edc465f7d3a1afa00177514c47..0cf4efc9ce22904f9cc0e437aeb182105657f779 100644
--- a/mo/db.py
+++ b/mo/db.py
@@ -548,6 +548,18 @@ class UserRole(Base):
                 and (self.category is None or cat is None or self.category == cat or (self.category == 'Z' and cat.startswith('Z')))
                 and (self.seq is None or seq is None or self.seq == seq))
 
+    def is_legal(self) -> bool:
+        # Některé role mají omezení na úroveň hierarchie.
+        level = self.place.level if self.place else -1
+        rt = self.role
+        if not (rt == RoleType.garant and level <= 0
+                or rt == RoleType.garant_kraj and level == 1
+                or rt == RoleType.garant_okres and level == 2
+                or rt == RoleType.garant_skola and level >= 3):
+            return False
+
+        return True
+
 
 class PaperType(MOEnum):
     solution = auto()
diff --git a/mo/web/org_users.py b/mo/web/org_users.py
index daeeb08c19f99787239535f808d0c4d838a99c1b..b0913ee593bf2de41ade61e4483270aa83d3054e 100644
--- a/mo/web/org_users.py
+++ b/mo/web/org_users.py
@@ -289,6 +289,10 @@ def org_org(id: int):
 
             ok = True
 
+            if not new_role.is_legal():
+                role_errors.append('Tato kombinace role a místa není povolena')
+                ok = False
+            elif not g.gatekeeper.can_set_role(new_role):
                 role_errors.append(f'Roli "{new_role}" nelze přidělit, není podmnožinou žádné vaší role')
                 ok = False