User Access Groups

User Access Groups define access given to groups of users in an Odoo database. They standardize and simplify user access so that setting up a user should be fairly simple.

To review Access Groups enable Developer Mode, navigate to Settings and select Users & Companies > Groups

There are several different types of user access group:

  1. User Types (Internal, Portal, Public)
    • Users must be allocated to one of these
  2. Application access groups, for example: Inventory User, Purchase Administrator (Manager), Accountant.
  3.  ‘Technical Settings‘ access groups relate to specific functionality:
    • Manage multiple units of measure
    • Analytic accounting
  4. Extra Rights (Multi Currency, Multi Company)
  5. Other (Access to Private Addresses

They grant access to:

    1. Database
      1. Models
      2. Records (through Record Rules)
      3. Fields (not normally used) 
    2. Views 
    3. Menus
    4. Windows Actions
    5. Other elements (Buttons, Wizards)

User access groups “inherit” permissions from other groups. This is standard for the application access groups. For example:

  • Purchase Manager inherits the Purchase User rights
  • Purchase User inherits the Internal User rights

The “Technical Settings” groups do not normally inherit access

  • On exception (in Odoo 13) is that the ‘Advanced Pricelists’ group inherits from ‘Basic Pricelists’ (which is another Technical Settings group).

User types

  1. Internal users can have full access to Odoo applications
  2. Portal users could be customers or suppliers (with limited access)
  3. Public users can only access the website

Internal Users

  1. Internal Users are almost always members of multiple application access groups (e.g. Purchase Manager and Inventory User).
  2. Internal Users will also be members of several ‘technical’ access groups, each of which has a specific purpose, for example:
    • Manage multiple units of measure
    • Analytic accounting
  3. Internal Users may also have Extra Rights (Multi Currency, Multi Company), and other access (e.g. Private Addresses). Again, these are all access groups.

Application Access Groups

We’ll look at the access for the Sales application.

Enable Developer Mode, Navigate to Settings, select Users & Companies > Groups and set the filter to see sales groups:

There are three groups for sales

  1. Sales Administrators (Managers)
  2. Sales / User: All Documents
  3. Sales / User: Own Documents Only

Inheritance

We can see the structure from the Inherited tab

Starting with the “Own Documents” group (lowest level for Sales)

The “Own Documents” group inherits the “Internal User” group, which provides a basic level of access. It also provides access to two related apps if they are installed: Subscriptions and Events.

The “All Documents” group inherits the “Own Documents” group.

This means that all the access granted to Sales / User: Own Documents Only is also available for user in the group Sales / User: All Documents

The highest level for Sales is the Administrator (Manager)

As you would expect, this inherits the “Sales / All Documents” group and if the website app is installed it also inherits “Restricted Editor”.

The “Own Documents” group grants access to six sales menus plus other menus in related apps.

Note that some menus are not restricted to specific access groups.

The “all documents” group doesn’t have any extra menus.

The sales administrator (manager) has access to more menus:

Views

The “Own Documents” group grants access to some views. Note that most views are available for all user access groups, and therefore this tab may be empty.

The other two sales groups don’t have access to any extra views.

Model Access Rights

This is an important part of security in Odoo and if a user does not have the correct access you will have problems in Odoo. There is more information about Model Access here, including the four permissions (Read, Write, Create and Delete).

The “Sales / Own Documents” group has access to 54 models in this demo database:

The “all documents” group doesn’t grant any additional access

However, the “Sales / Administrator” access group does grant additional access:

For example, the first two groups (“own documents” and “all documents”) do NOT allow users to create, amend or delete products, but the “Administrator” has full access:

If a user only has Read access then certain actions will not be available in Odoo (for example ‘Create and Edit’, and the ‘Create’ button).

This is important to understand, and Odoo demonstrations or YouTube video will often be done using a high-level of access that a normal user would not have!

Of course, you can configure your system however you want, and you may choose to make things “easy” for users or add more controls.

Record Rules

Record Rules control access to records within a Model (database table), as explained here.

These are the Record Rules for the “Sales / Own Documents” group:

  • The “Personal” rules limit this group to their own sales orders only, plus any orders that are not owned by anyone.
  • They also have full access to all records of other models (this implies that other users have access to some records only, because otherwise there would be no need for Record Rules on these Models).

The “all documents” group have access to all records through the domain [(1,'=',1)] (which is always true).

The Sales Administrator group doesn’t need additional access because it inherits full access from the “All Documents” group.

Other access rights

Note that this menu option does not allow you to review all the access rights for a group. You can find more information elsewhere, including:

  • ‘Security’ tab for Fields and Windows Actions in Technical Settings.
  • Within XML views or Python source code

Technical user access groups

As well as Application access groups (described above), Odoo has what are called “Technical” groups. These are visible (in Developer Mode) on the User profile (as shown here)

In principle, these are no different to the Application Access Groups, but they each serve a much more limited purpose and grant less access

  • None of these groups have Record Rules
  • Only two Technical Groups (in Odoo 13) grant Model Access
    • Analytic Accounting
    • Manage Mass Mail Campaign
  • Some Groups grant access to Views and Menus.
  • Some don’t directly grant any access at all.
    • Instead Odoo functionality may be conditioned on whether a user is a member of one of these “Technical” groups, and you will need to search through XML Views and Python code to confirm.

Examples:

  • “Manage Product Variants” grants access to Menus
  • “Manage Multiple Stock Locations” grants access to Menus and Views
  • “Analytic Accounting” grants access to Menus, Views and Models
  • “Addresses in Sales Orders” doesn’t grant any access, but is used in XML
    • <field name="partner_shipping_id" groups="sale.group_delivery_invoice_address">

Extra Rights and Other access groups

Contact Creation

This grants a user full access to Contacts (res.partner) and a number of other Models, and Read access to another group of Models.

Multi-Company & Multi-Currency

These can be considered as system ‘flags’ that are used within Odoo.

Technical Features

This was used to grant users access to several ‘configuration’ menus. It is now obsolete and so is not shown (but it does still exist).

Access to Private Addresses

This enables a Record Rule. More details here

Access

Access for a user is a combination of the permissions (Read, Write, Create and Delete) from all the groups assigned to them.

This applies both for Models and Records (i.e. Record Rules).

So a user could have Write access to a Model from one group and Delete access from another group, and also Write access to records from one group and Delete access from another group.

This can become quite complex if users have access to multiple applications, and you may find that they can do things that they shouldn’t be add to do!

That’s because both Models and Access Groups are used across applications

Note also that:

  • User’s authorization to menu items will limit what they can do:
    • You can change this if required
    • However, removing access to menus may not fully limit access because there may be links within the application (for example, click on a product to display – and edit – information about the product)
  • The design of the application may add further restrictions

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s