Odoo has a unique identity in ERP, which is compatible with both small and large scale business,
Records in a business are highly sensitive, so it is important to maintain the security of records. Similar to previous Odoo versions, one can set groups, access rights, and rules for the safety of records. Here we will be discussing more about record rules in Odoo 14.
To know more information about security in Odoo, please take a took at the blog Security in Odoo
Record rules are set to determine who can access the object, according to the rule. To manage rules, we have access modes for the object. There are of four types,
Create: Access to create records in the object.
Write: Access to write records in the object (Edit).
Read: Access to read records in the object (View only)
Delete: Delete access for records in the object
Record rules can be set both from the front and back end. First, we are going to discuss, how can record rules be created from the back end.we set record rules in an XML file (security >> modulename_security.xml). Here we are considering an example from the Fleet module. In this module fleet, only the driver (ie, fleet user) can see his / her details of the vehicle.
<record id = "fleet_rule_vehicle_visibility_user" model = "ir.rule">
<field name = "name"> User can only see his / her vehicle </field>
<field name = "model_id" ref = "model_fleet_vehicle" />
<field name = "groups" eval = "[(4, ref ('fleet_group_user'))]" />
<field name = "perm_read" eval = "True" />
<field name = "perm_write" eval = "True" />
<field name = "perm_create" eval = "False" />
<field name = "perm_unlink" eval = "False" />
<field name = "domain_force"> [('driver_id', '=', user.partner_id.id)] </field>
</record>
So we create a rule for the group fleet_group_user. To get more details about groups, refer to the blog: How to Create a Security Group in Odoo 13
<field name = "model_id" ref = "model_fleet_vehicle" />
Here the model name is fleet.vehicle, so ref = "model_fleet_vehicle". This rule is applicable only to the group fleet_group_user. Rules can be defined for multiple groups as well. Then we move to access permissions. Here we can set access rights for the user. We are setting a rule in such a way that the driver has permission only to read and write.So permission is as follows,
<field name = "perm_read" eval = "True" />
<field name = "perm_write" eval = "True" />
<field name = "perm_create" eval = "False" />
<field name = "perm_unlink" eval = "False" />
The user group (fleet_group_user) does not have permission to create and delete so both are set as False. Next is domain_force,
<field name = "domain_force"> [('driver_id', '=', user.partner_id.id)] </field>domain_force acts as a filter for the records where the rule is applied. Here the filter is applied as the definition of the rule, driver_id is equal to the user's partner_id.id. One can also apply for complete records, then domain_force is as follows,
<field name = "domain_force"> [(1, '=', 1)] </field>
One can use more than one condition to apply the filter,
<field name = "domain_force"> ['|', ('driver_id', '=', user.partner_id.id), ('company_id', 'in', company_ids)] </field>Here we have filtered with partner_id and company_id. So the records will be filtered as the current company where driver_id = user.partner_id. id.
This is how we can set record rules from the back end (ie, XML code). One can view and create records rules from the front end as well, For that, turn to debug mode Goto -> Settings -> Technical -> Record Rules,
Here the complete list of record rules in the system can be seen.
The above picture is the view of the record rule that we created from the back end (XML code).
We can also create record rules from the front end,
Name: Name for the rule.
Object: Object to which rule has to apply (model).
Active: Active rules are applied to the system.
Access Rights: All access is permitted by default.
Apply for Read: if the user has no permission to read records, uncheck it.
Apply for Write: if the user has no permission to write records, uncheck it.
Apply for Create: if the user has no permission to create records, uncheck it.
Apply for Delete: if the user has no permission to delete records, uncheck it.
Rule Definition (Domain filter): Rule definition is the condition to filter the records, Eg: [('driver_id', '=', user.partner_id.id)]
Groups: One can specify groups to which rule has to be applied. To apply globally, don't need to specify groups.