Enable Dark Mode!
By: Saritha

Security in Odoo

Functional Odoo 8

Security is a major concern when an application is considered. We can control what the user can do and what users can't-do on a different level. Control independently each of the four basic operations: read, write, create, and unlink. I.e. allow only read, allow only create, grant permission to create or delete only. Also, we can hide fields or menus for some users and show them for others, make fields read-only for some users and make them editable for others. We use groups to control users.

How to assign users to groups?

Security access in Odoo is configured through security groups: permissions are given to groups and then groups are assigned to users.

 Go to Settings > Groups


Odoo has a lot of groups. Once you know about groups, you can select groups from the list of groups as shown in the above figure. For example, let examine Inventory/Manager. You can select this group by scrolling down.


Here you can see, you can add as many as users under the Users tab so that only that users can view Inventory.
Security mechanisms in Odoo
Aside from manually managing access using custom code, Odoo provides two main data-driven mechanisms to manage or restrict access to data.

Both mechanisms are linked to specific users through groups: a user belongs to any number of groups, and security mechanisms are associated with groups, thus applying security mechanisms to users.
1) Access Control
In Odoo, views and menus are restricted to a user due to access right permission. Only admin has the right to view all records. Access right permission is managed by creating an ir.model.access.csv file.

This file can

a) Grant permission like reading, write, update, and delete to a model.

b) Can assign groups. If no group is assigned access right is applicable for all users. Else applicable only for users in that particular group

Access controls are additive, for example, if the user belongs to one group which allows writing and another which allows deleting, they can both write and delete.

Access rights


To Create Access Control List in Odoo without custom code below is the process

The Access control lists determine the general permissions (read, write, create, delete) on each object. By default, the superuser has all permissions on all objects.

If admin provides the right to users then Go to 

 Settings > Technical > Security > Access Controls List

Record Rules
Record rules are conditions that records must satisfy for an operation (create, read, update or delete) to be allowed. It is applied record-by-record after access control has been applied.

A record rule has

- a model 
- a set of permissions to which it applies 
- a set of user groups to which the rule applies, if no group is specified the rule is global
- a domain used to check whether a given record matches the rule (and is accessible) or does not (and is not accessible). 


Field Access
    The field can have groups attribute providing a list of groups. If the current user is not in listed groups, he will not have access to the field.

<button name=”toggle_active” type=”object” groups=”hr.group_hr_user”

<fiels name=”name”/>
<field name=”company_id” group=”base.group_multi_company”

4) Workflow Transition rules

Workflow transitions can be restricted to a particular user.

 Go to- Settings -> Workflow -> Transitions

A Transition has:

- Source Activity: which specify the starting state of transition
- Destination Activity: which specify the ending state of transition
- Signal(Button Name): which specify activity name
- Condition: which is used to check if the workflow instance progresses through the transition or not
- Group Required: specify the group.


If you need any assistance in odoo, we are online, please chat with us.

cybrosys youtube


Naruto Uzumaki

Can you please publish a article by showing how to write custom code for access rule and how to add menu item to normal users.





well written, nice





For a large organization, security is very important and requires experienced, dedicated Odoo Consultant who will guide you through the implementation & assist with the important security measures. Contact us for a free consultation.









Sadnan khan

very nice explanation,,,,thanks




omar ahmed

nice article ...




Leave a comment


Cybrosys Technologies Pvt. Ltd.
Neospace, Kinfra Techno Park
Kakkancherry, Calicut
Kerala, India - 673635


Cybrosys Limited
Alpha House,
100 Borough High Street, London,
SE1 1LB, United Kingdom


Cybrosys Technologies Pvt. Ltd.
1st Floor, Thapasya Building,
Infopark, Kakkanad,
Kochi, India - 682030.


Cybrosys Techno Solutions
The Estate, 8th Floor,
Dickenson Road,
Bangalore, India - 560042

Send Us A Message