Security is a major concern when any application is considered. We can control what the user can do and what the users can't-do on a different level. The user can control independently each of the four basic operations: read, write, create, and unlink. I.e. allow only read, allow only create, grant permission to create or delete only. Also, we can hide fields or menus for some users and show them for others, make fields read-only for some users and make them editable for others. We use groups to control users.
How to assign users to groups?
Security access in Odoo is configured through security groups: permissions are given to groups and then groups are assigned to users.
Go to Settings > Groups
Odoo has a lot of groups. Once you know about groups, you can select groups from the list of groups as shown in the above figure. For example, let us examine Inventory/Manager. You can select this group by scrolling down.
Here you can see, you can add as many users you want under the Users tab so that only those users can view the Inventory.
Security mechanisms in Odoo
Apart from manually managing access using custom code, Odoo provides two main data-driven mechanisms to manage or restrict access to data.
Both mechanisms are linked to specific users through groups: a user belongs to any number of groups, and security mechanisms are associated with groups. This ensures security mechanisms to users.
1) Access Control
In Odoo, views and menus are restricted to a user due to access right permission. Only the admin has the right to view all records. Access right permission is managed by creating an ir.model.access.csv file.
This file can
a) Grant permission like read, write, update, and delete to a model.
b) Can assign groups. If no group is assigned access right is applicable for all users. Else, it will be applicable only for users in that particular group
Access controls are additive. For example, if the user belongs to one group which allows writing and another which allows deleting, they can both write and delete.
Access rights
To Create Access Control List in Odoo without custom code below is the process
The Access control lists determine the general permissions (read, write, create, delete) on each object. By default, the superuser has all permissions on all objects.
If admin provides the right to users then Go to Settings > Technical > Security > Access Controls List
Record Rules
Record rules are conditions that records must satisfy for an operation (create, read, update or delete) to be allowed. It is applied record-by-record after access control has been applied.
A record rule has
- a model
- a set of permissions to which it applies
- a set of user groups to which the rule applies, if no group is specified the rule is global
- a domain used to check whether a given record matches the rule (and is accessible) or does not (and is not accessible).
Field Access
The field can have group attributes providing a list of groups. If the current user is not in listed groups, he will not have access to the field.
<button name=”toggle_active” type=”object” groups=”hr.group_hr_user”
<fiels name=”name”/>
<field name=”company_id” group=”base.group_multi_company”
4) Workflow Transition rules
Workflow transitions can be restricted to a particular user.
Go to Settings -> Workflow -> Transitions
A Transition has:
- Source Activity: which specify the starting state of transition
- Destination Activity: which specify the ending state of transition
- Signal(Button Name): which specify activity name
- Condition: This is used to check if the workflow instance progresses through the transition or not
- Group Required: specify the group