Index: lams_admin/src/java/org/lamsfoundation/lams/admin/util/ExcelUserImportFileParser.java
===================================================================
diff -u -rbed82e872766866852ecc9422a2540197ebc8977 -r3d4c6e49eac22677462612f300de55a9504021c3
--- lams_admin/src/java/org/lamsfoundation/lams/admin/util/ExcelUserImportFileParser.java	(.../ExcelUserImportFileParser.java)	(revision bed82e872766866852ecc9422a2540197ebc8977)
+++ lams_admin/src/java/org/lamsfoundation/lams/admin/util/ExcelUserImportFileParser.java	(.../ExcelUserImportFileParser.java)	(revision 3d4c6e49eac22677462612f300de55a9504021c3)
@@ -42,6 +42,7 @@
 import org.lamsfoundation.lams.themes.CSSThemeVisualElement;
 import org.lamsfoundation.lams.usermanagement.AuthenticationMethod;
 import org.lamsfoundation.lams.usermanagement.Organisation;
+import org.lamsfoundation.lams.usermanagement.OrganisationType;
 import org.lamsfoundation.lams.usermanagement.Role;
 import org.lamsfoundation.lams.usermanagement.SupportedLocale;
 import org.lamsfoundation.lams.usermanagement.User;
@@ -149,11 +150,16 @@
 					if (org!=null || roles!=null) {  // save user+roles if org or roles are set
 						log.debug("org: "+org+" roles: "+roles);
 						if (org!=null && roles!=null) {
-							service.save(user);
-							writeAuditLog(user);
-							service.setRolesForUserOrganisation(user, org, roles);
-							//rowResult.add(org.getOrganisationId().toString());  // for stat summary in save action
-							log.debug("saved user: "+user.getUserId()+" with roles: "+roles);
+							if (!checkValidRoles(roles, service.isUserSysAdmin(), org.getOrganisationType())) {
+								String[] args = {"("+parseStringCell(row.getCell(ROLES))+")"};
+								rowResult.add(messageService.getMessage("error.roles.invalid", args));
+							} else {
+								service.save(user);
+								writeAuditLog(user);
+								service.setRolesForUserOrganisation(user, org, roles);
+								// rowResult.add(org.getOrganisationId().toString());  // for stat summary in save action
+								log.debug("saved user: "+user.getUserId()+" with roles: "+roles);
+							}
 						} else {
 							String[] args = new String[1];
 							String error;
@@ -173,6 +179,7 @@
 						log.debug("saved user: "+user.getUserId());
 					}
 				} catch (Exception e) {
+					log.debug(e);
 					rowResult.add(messageService.getMessage("error.fail.add"));
 				}
 				log.debug("rowResult size: "+rowResult.size());
@@ -349,30 +356,61 @@
 			int index = roleDescription.indexOf(SEPARATOR, fromIndex);
 			while (index != -1) {
 				log.debug("using role name: "+roleDescription.substring(fromIndex, index));
-				List list = service.findByProperty(Role.class, "name", roleDescription.substring(fromIndex, index));
-				Role role = (list==null || list.isEmpty() ? null : (Role)list.get(0));
-				if (role!=null) {
-					roles.add(role.getRoleId().toString());
-					log.debug("role: "+role.getName());
+				String role = addRoleId(roleDescription, fromIndex, index);
+				if (role==null) {
+					return null;
 				} else {
-					return null;		// if we can't translate the name to a role, return null
+					roles.add(role);
 				}
 				fromIndex = index + 1;
 				index = roleDescription.indexOf(SEPARATOR, fromIndex);
 			}
 			log.debug("using rolee name: "+roleDescription.substring(fromIndex, roleDescription.length()));
-			List list = service.findByProperty(Role.class, "name", roleDescription.substring(fromIndex, roleDescription.length()));
-			Role role = (list==null || list.isEmpty() ? null : (Role)list.get(0));
-			if (role!=null) {
-				roles.add(role.getRoleId().toString());
-				log.debug("rolee: "+role.getName());
-			} else {
+			String role = addRoleId(roleDescription, fromIndex, roleDescription.length());
+			if (role==null) {
 				return null;
+			} else {
+				roles.add(role);
 			}
 			return roles;
 		}
 		return null;
 	}
+	
+	// return id of role name in given role description
+	private String addRoleId(String roleDescription, int fromIndex, int index) {
+		List list = service.findByProperty(Role.class, "name", roleDescription.substring(fromIndex, index));
+		Role role = (list==null || list.isEmpty() ? null : (Role)list.get(0));
+		if (role!=null) {
+			log.debug("role: "+role.getName());
+			return role.getRoleId().toString();
+		} else {
+			return null;		// if we can't translate the name to a role, return null
+		}
+	}
+	
+	// return false if a role shouldn't be assigned in given org type
+	private boolean checkValidRoles(List<String> idList, boolean isSysadmin, OrganisationType orgType) {
+		// convert list of id's into list of Roles
+		List<Role> roleList = new ArrayList<Role>();
+		for (String id : idList) {
+			Role role = (Role)service.findById(Role.class, Integer.parseInt(id));
+			if (role!=null) {
+				roleList.add(role);
+			} else {
+				return false;
+			}
+		}
+		
+		// check they are valid
+		List<Role> validRoles = service.filterRoles(roleList, isSysadmin, orgType);
+		for (Role r : roleList) {
+			if (!validRoles.contains(r)) {
+				return false;
+			}
+		}
+		return true;
+	}
 
 	// set CSSThemeVisualElement to default flash theme if cell is empty
 	private CSSThemeVisualElement getFlashTheme(String flashId){
Index: lams_build/lib/lams/lams.jar
===================================================================
diff -u -rb99dce44ff7b9066e9b1c0429667e44381dcf0ec -r3d4c6e49eac22677462612f300de55a9504021c3
Binary files differ
Index: lams_common/src/java/org/lamsfoundation/lams/usermanagement/service/IUserManagementService.java
===================================================================
diff -u -r4c272618da715b9f814eb81630e92abf2ef1a736 -r3d4c6e49eac22677462612f300de55a9504021c3
--- lams_common/src/java/org/lamsfoundation/lams/usermanagement/service/IUserManagementService.java	(.../IUserManagementService.java)	(revision 4c272618da715b9f814eb81630e92abf2ef1a736)
+++ lams_common/src/java/org/lamsfoundation/lams/usermanagement/service/IUserManagementService.java	(.../IUserManagementService.java)	(revision 3d4c6e49eac22677462612f300de55a9504021c3)
@@ -364,4 +364,10 @@
 	 * @return
 	 */
 	public boolean isUserGlobalGroupAdmin();
+	
+	/**
+	 * Return true if user has sysadmin role in root organisation.
+	 * @return
+	 */
+	public boolean isUserSysAdmin();
 }
\ No newline at end of file
Index: lams_common/src/java/org/lamsfoundation/lams/usermanagement/service/UserManagementService.java
===================================================================
diff -u -r4a2728da7ea82a98b92d3a8b08feb6efa4023b7d -r3d4c6e49eac22677462612f300de55a9504021c3
--- lams_common/src/java/org/lamsfoundation/lams/usermanagement/service/UserManagementService.java	(.../UserManagementService.java)	(revision 4a2728da7ea82a98b92d3a8b08feb6efa4023b7d)
+++ lams_common/src/java/org/lamsfoundation/lams/usermanagement/service/UserManagementService.java	(.../UserManagementService.java)	(revision 3d4c6e49eac22677462612f300de55a9504021c3)
@@ -805,9 +805,18 @@
 		}
 	}
 	
+	private Integer getRequestorId() {
+		UserDTO userDTO = (UserDTO)SessionManager.getSession().getAttribute(AttributeNames.USER);
+		return userDTO.getUserID();		
+	}
+	
 	public boolean isUserGlobalGroupAdmin() {
-		Integer requestorId = ((UserDTO)SessionManager.getSession().getAttribute(AttributeNames.USER)).getUserID();
 		Integer rootOrgId = getRootOrganisation().getOrganisationId();
-		return isUserInRole(requestorId, rootOrgId, Role.GROUP_ADMIN);
+		return isUserInRole(getRequestorId(), rootOrgId, Role.GROUP_ADMIN);
 	}
+	
+	public boolean isUserSysAdmin() {
+		Integer rootOrgId = getRootOrganisation().getOrganisationId();
+		return isUserInRole(getRequestorId(), rootOrgId, Role.SYSADMIN);
+	}
 }
\ No newline at end of file