Users, Groups, Access Rights and Record Rules in Odoo
Security Features in Odoo
Users and user roles are critical points concerning internal security in Odoo. Odoo provides several security mechanisms concerning user roles, all implemented in the Odoo Server. They are implemented in the lowest server level, which is the ORM engine.
Odoo distinguishes different concepts:
Persons are identified by their login and password. Note that all employees of a company are not necessarily odoo users, the user is somebody who accesses the odoo application.
Users represent physical persons using Odoo / OpenERP. They are identified with a login and a password, they use Odoo, and they can edit their own preferences - by default, a user has no access rights. The more we assign groups to the user, the more he or she gets the right to perform some actions. A user may belong to one or several groups.
In Odoo, Go to the main menu Settings => Users & Companies => Users
In odoo, users are segregated based on User Types
- Internal User
1) Internal User:
Internal users have access rights to assign the roles and access the more odoo features as per given access to internal users. Internal users have more access compared to Portal users and internal users belong to your company / organization.
Portal members have specific access rights. They usually do not belong to the usual Odoo groups.
Generally, portal users are external users like.. customers/clients. They have limited access to read and view the information. Portal users are not able to edit information.
Public users have specific access rights They usually do not belong to the usual Odoo groups. Public users have access to the website using the URL.
A group of users that has some access rights. A group gives its access rights to the users that belong to the group. Example: Sales Manager, Advisor, etc.
The groups determine the access rights to the different resources. A user may belong to several groups. If he belongs to several groups, we always use the group with the highest rights for a selected resource. A group can inherit all the rights from another group.
In Odoo, Go to the main menu Settings => Users & Companies => Groups
We can assign groups to Users, Menus, Views, Access Rights and Record Rules. groups can be assigned on specific fields from views or from the python code.
Administrator users ( Who have Administrator / Setting access ) can directly assign groups to any user.
Assign Group to Users:
Menu : Settings => Users & Companies => Users
Admin users can assign groups to users directly from the User form view.
Assign Group to Menus:
Menu : Settings => Technical => User Interface => Menu Items
Admin users can directly assign Group / Role on menu items. As per the below example, Accounting / Accountant Users can see the Payments menu which is available under the Accounting => configurations => Payments.
Assign Group to Views:
Menu : Settings => Technical => User Interface => Views
Admin users can directly assign Group / Role on Views. As per the below example Internal User and Portal group is assigned to the project task quickly create a view so, that view can see only Internal Or Portal group users.
Access rights are rules that define the access a user can have to a particular object. Those global rights are defined per document type or model. rights follow the CRUD model: create, read (search), update (write), delete (unlink).
For example, you can define access rights for Accounting / Accountant group users to read, write, create, and delete access to accounts/charts of accounts records.
In Odoo, Go to the main menu Settings => Technical => Security => Access Rights
As per the above access rights example, we can assign model-wise and group-wise access rights.
In Access rights, To Assign Group is not mandatory so, if we do not assign Group in Access rights it will become global, I mean given access to the model (read, write, create, delete) will apply for all users.
We can assign the same access rights directly to the Groups. See the below screenshots.
Security Rule / Record Rule:
A rule that defines the access rights a given group grants or controls the access to its users with domain/condition.
Security rules are attached to groups. You can assign several security rules at the group level, each rule being of one of the following types :
- Access rights are global rights on an object,
- Record rules are recorded access filters,
- Fields access right
You can also define rules that are global, i.e. they are applied to all users, indiscriminately of the groups they belong to. For example, the multi-company rules are global; a user can only see invoices of the companies he or she belongs to. Concerning configuration, it is difficult to have default generic configurations that suit all applications. Therefore, like SAP, Odoo is by default pre-configured with best practices.
In Odoo, Go to the main menu Settings => Technical => Security => Record Rules
Record rule we can configure with Model, Groups and Access Rights and Rules Definition.
Define the Model on which we have to apply the Record Rule. for example, SMS Templates.
As we can see in the screenshots we can assign access rights like, Read, Write, Create, and Delete as needed.
Groups / Group Name:
If we assign Groups in Record rules, it means the record rule will apply only to those specific group users, not to all users.
If we do not apply any Group on record rule, the record rule becomes Global. It means the record rule will apply to all users.
Rule definition is domain filter, where we can define some conditions to restrict Or to show some specific documents/records to users.
Field Access Rights:
Odoo supports real access control at the field level too, not just on the view side. Previously it was already possible to set a group's attribute on an <field> element (or in fact most view elements), but with cosmetic effects only: the element was made invisible on the client side, while still perfectly available for read/write access at the RPC level.
code = fields.Char(string='E-commerce Promotional Code', groups="base.group_user")
There is a major difference with the view-level groups attribute: restricting access at the model level really means that the field will be completely unavailable for users who do not belong to the authorized groups.
- Restricted fields will be completely removed from all related views, not just hidden. This is important to keep in mind because it means the field value will not be available at all on the client side, and thus unavailable e.g. for on_change calls.
- Restricted fields will not be returned as part of a call to fields_get() or fields_view_get() This is in order to avoid them appearing in the list of fields available for advanced search filters, for example. This does not prevent getting the list of a model’s fields by querying ir.model.fields directly, which is fine.
- Any attempt to read or write directly the value of the restricted fields will result in an access error exception.
- As a consequence of the previous item, restricted fields will not be available for use within search filters (domains) or anything that would require read or write access.
- It is quite possible to set group attributes for the same field both at the model and view level, even with different values. Both will carry their effect, with the model-level restriction taking precedence and removing the field completely in case of restriction
When installing your particular instance of Odoo, Some specific users are installed by default.
In Odoo v16 this first user is the SuperUser ( Odoobot ) and the second user is the Administrator. The SuperUser does not have any access restriction. While an admin user is just like other system users and hence administrators have restrictions based on the record rule defined.
For both users by default added access rights to every existing group, as well as to every group created during a new module installation. They also have access to a specific administration interface accessible via the administration menu, allowing the administration of Odoo. The administrator has the right to manage groups; he can add, create, modify or remove groups. He may also modify links between users and groups, such as adding or removing users. He also manages access rights. With those privileges, the administrator can therefore precisely define the security accesses of every user of Odoo. There are user groups that are between normal groups and the superuser.
Those groups are Administration / Settings and Administration / Access Rights. It gives the users of those groups the necessary rights to configure access rights.
If you are interested in this module for your business operations, please contact us at email@example.com. Our ERP Consultant team helps you adopt the best Odoo Integration Services.
Connect with us & Explore More about SerpentCS