When managing business data in Odoo, protecting sensitive information isn’t just a best practice—it’s essential. As your organization grows, you may want certain fields, like employee salary or bank account details, to be visible only to authorized personnel.
That’s where field-level security in Odoo 19 comes in.
This feature allows administrators to define exactly who can view or edit individual fields within a model, giving your business greater control over data privacy and compliance.
What Is Field-Level Security?
Field-level security (FLS) is a mechanism in Odoo that restricts access to specific fields based on user roles or groups.
Unlike record rules (which limit access to entire records), FLS operates at the field level—meaning even within the same record, two users might see different data.
For example:
- A payroll manager can view and edit the salary field.
- A regular HR employee might only see the job title and department.
This fine-grained approach to permissions ensures sensitive information stays where it belongs—in trusted hands.
Why field-level security matters
- Protects sensitive data
Ensures that confidential fields, such as salaries and tax IDs, are visible only to authorized users.
- Improves usability
Keeps forms clean by hiding unnecessary fields from users.
- Enhances compliance
Reduces the risk of data leaks and unauthorized edits.
- Works seamlessly with
Record-level security (record rules) and model ACLs for full access control.
Define Security Groups
Create a new XML file to define your security groups.
security/contact_field_security_groups.xml:
<?xml version="1.0" encoding="UTF-8" ?>
<odoo>
<record id="group_sales_manager_contact" model="res.groups">
<field name="name">Contact: Sales Manager</field>
</record>
<record id="group_accountant_contact" model="res.groups">
<field name="name">Contact: Accountant</field>
</record>
<record id="group_hr_manager_contact" model="res.groups">
<field name="name">Contact: HR Manager</field>
</record>
</odoo>
These groups determine which users can access specific fields.
Members outside these groups won’t see or edit restricted fields—both in the backend UI and through API calls.
Extend the res.partner Model
Inherit the res.partner model and define new fields that you want to protect.
models/res_partner.py:
# -*- coding: utf-8 -*-
from odoo import api, fields, models
class ResPartner(models.Model):
_inherit = 'res.partner'
credit_limit = fields.Float(
string='Credit Limit',
)
bank_account_id = fields.Many2one(
'res.partner.bank',
string='Bank Account',
)
vat = fields.Char(
string='Tax ID',
)
employee_salary = fields.Float(
string='Employee Salary',
)
These fields are now part of the res.partner model, but we’ll use groups in the view to restrict their visibility.
Apply Field-Level Access in the View
Define which groups can view or edit each field in your form view using the groups attribute.
views/res_partner.xml:
<?xml version="1.0" encoding="UTF-8" ?>
<odoo>
<record id="view_partner_form" model="ir.ui.view">
<field name="name">res.partner.form.field.security</field>
<field name="model">res.partner</field>
<field name="inherit_id" ref="base.view_partner_form"/>
<field name="arch" type="xml">
<xpath expr="//field[@name='category_id']" position="after">
<field name="credit_limit" groups=
'field_level_security.group_sales_manager_contact'/>
<field name="bank_account_id" groups=
'field_level_security.group_accountant_contact'/>
<field name="vat" groups=
'field_level_security.group_accountant_contact'/>
<field name="employee_salary" groups=
'field_level_security.group_hr_manager_contact'/>
</xpath>
</field>
</record>
</odoo>
- groups="module_name.group_id" Displays the field only for users in that group.
- Visibility and access apply both in backend views and API responses.
- Clean UI: Other users won’t even see those fields in forms or lists.
Implementing Field-Level Security in Odoo 19 is a simple yet powerful way to safeguard sensitive business data.
By using the groups attribute in both models and views, you ensure that users only see information relevant to their roles—improving data security, usability, and compliance.
To read more about How to Add a Field to the User Login Page in Odoo 18, refer to our blog How to Add a Field to the User Login Page in Odoo 18
Frequently Asked Questions (FAQ)
1. Can I apply multiple groups to the same field?
A: Yes. You can list multiple groups separated by commas (OR logic).
Example: groups="sales_team.group_sale_manager,hr.group_hr_manager"
2. Does field-level security affect API responses?
A: Yes. Restricted fields are not accessible even through RPC or API calls.
3. Can I hide fields dynamically without groups?
A: Yes, you can use record rules, computed fields, or conditional visibility in views — but groups remain the most reliable method.