Security is a major concern when an application is considered. We can control what the user can do and what users can't-do on a different level. Control independently each of the four basic operations: read, write, create, and unlink. I.e. allow only read, allow only create, grant permission to create or delete only. Also, we can hide fields or menus for some users and show them for others, make fields read-only for some users and make them editable for others. We use groups to control users.
How to assign users to groups?
Security access in Odoo is configured through security groups: permissions are given to groups and then groups are assigned to users.
Go to Settings > Groups
Odoo has a lot of groups. Once you know about groups, you can select groups from the list of groups as shown in the above figure. For example, let examine Inventory/Manager. You can select this group by scrolling down.
Here you can see, you can add as many as users under the Users tab so that only that users can view Inventory.
Security mechanisms in Odoo
Aside from manually managing access using custom code, Odoo provides two main data-driven mechanisms to manage or restrict access to data.
Both mechanisms are linked to specific users through groups: a user belongs to any number of groups, and security mechanisms are associated with groups, thus applying security mechanisms to users.
1) Access Control
In Odoo, views and menus are restricted to a user due to access right permission. Only admin has the right to view all records. Access right permission is managed by creating an ir.model.access.csv file.
This file can
a) Grant permission like reading, write, update, and delete to a model.
b) Can assign groups. If no group is assigned access right is applicable for all users. Else applicable only for users in that particular group
Access controls are additive, for example, if the user belongs to one group which allows writing and another which allows deleting, they can both write and delete.
To Create Access Control List in Odoo without custom code below is the process
The Access control lists determine the general permissions (read, write, create, delete) on each object. By default, the superuser has all permissions on all objects.
If admin provides the right to users then Go to
Settings > Technical > Security > Access Controls List
Record rules are conditions that records must satisfy for an operation (create, read, update or delete) to be allowed. It is applied record-by-record after access control has been applied.
A record rule has
- a model
- a set of permissions to which it applies
- a set of user groups to which the rule applies, if no group is specified the rule is global
- a domain used to check whether a given record matches the rule (and is accessible) or does not (and is not accessible).
The field can have groups attribute providing a list of groups. If the current user is not in listed groups, he will not have access to the field.
<button name=”toggle_active” type=”object” groups=”hr.group_hr_user”
<field name=”company_id” group=”base.group_multi_company”
4) Workflow Transition rules
Workflow transitions can be restricted to a particular user.
Go to- Settings -> Workflow -> Transitions
A Transition has:
- Source Activity: which specify the starting state of transition
- Destination Activity: which specify the ending state of transition
- Signal(Button Name): which specify activity name
- Condition: which is used to check if the workflow instance progresses through the transition or not
- Group Required: specify the group.