User Access Groups and more about access

It’s a basic requirement of any IT application that users are granted the access they need to do their job and not full access to everything.

In most ERP systems this is achieved by allocating users to User Access Groups, which is simpler than having to define the detailed access for each user.

  • For example, you might have three users who enter customer sales orders into Odoo – they all need the same access and so you can add them to the user access group Sales / User: All Documents. Job done.

In Odoo, the User Access Groups are pre-defined, and using this default setup will normally work, but it won’t meet the detailed requirements of all companies – and anyway it’s important to understand how it works.

You might want to start by reviewing User Setup (which is where we select the User Access Groups for each user).

To review Access Groups enable Developer Mode, navigate to Settings and select Users & Companies > Groups

There are several different types of user access group:

  1. Application access groups, for example:
    • Inventory User
    • Purchase Administrator (Manager)
    • Accountant
  2.  ‘Technical Settings‘ access groups relate to specific functionality such as:
    • Manage multiple units of measure
    • Analytic accounting
  3. Extra Rights (Multi Currency, Multi Company)
  4. Other (Access to Private Addresses

User Access Groups grant access to:

    1. Database:
      1. Models
      2. Records (through Record Rules)
      3. Fields (not normally used) 
    2. Views 
    3. Menus
    4. Windows Actions 
    5. Other elements (Buttons, Wizards)

User access groups “inherit” permissions from other related groups. This is standard for the application access groups. For example:

  • Purchase Manager inherits the rights of the Purchase User 
  • Purchase User inherits the rights of the Internal User 

The “Technical Settings” groups do not normally inherit access

  • One exception (in Odoo 13) is that the ‘Advanced Pricelists’ group inherits from ‘Basic Pricelists’ (which is another Technical Settings group).

Let’s look at each type of User Access Group in more detail:

Application Access Groups

We’ll use the access for the Sales application as an example.

To review this, enable Developer Mode, and then:

  1. Navigate to Settings
  2. Select Users & Companies > Groups
  3. Set a filter to see sales groups:

There are three groups for sales

  1. Sales Administrators (Managers)
  2. Sales / User: All Documents
  3. Sales / User: Own Documents Only

The first tab is a list of users. You can add or remove users here, it has the same effect as adding or removing a group to a user.

We can see the structure from the next tab:

Inheritance

Starting with the “Own Documents” group (lowest level for Sales)

The “Own Documents” group inherits the “Internal User” group, which provides a basic level of access for all internal users.

It also provides access to two related apps if they are installed:

  1. Subscriptions
  2. Events.
  • Note that Odoo 16 merged the Subscriptions app into Sales (somewhat controversially).

The “All Documents” group inherits the “Own Documents” group.

This means that all the access granted to Sales / User: Own Documents Only is also available for user in the group Sales / User: All Documents

The highest level for Sales is the Administrator (Manager)

As you would expect, this inherits the “Sales / All Documents” group and if the website app is installed it also inherits “Restricted Editor”.

The “Own Documents” group grants access to six sales menus plus other menus in related apps.

Note that some menus are not restricted to specific access groups.

The “all documents” group doesn’t have any extra menus.

The sales administrator (manager) has access to more menus:

Views

The “Own Documents” group grants access to some views. Note that most views are available for all user access groups, and therefore this tab may be empty.

The other two sales groups don’t have access to any extra views.

Model Access Rights

This is an important part of security in Odoo and if a user does not have the correct access you will have problems in Odoo. There is more information about Model Access here, including the four permissions (Read, Write, Create and Delete).

The “Sales / Own Documents” group has access to 54 models in this demo database:

  • Note that this only provides read access for products (so a user can’t create new products or amend / delete existing products)
    • However, the user might be a member of another group that does allow them to create / amend / delete products.

The “all documents” group doesn’t grant any additional model access. Unsurprisingly, the “Sales / Administrator” access group does grant additional access:

As noted above, the first two groups (“own documents” and “all documents”) do NOT allow users to create, amend or delete products, but the “Administrator” has full access:

If a user only has Read access then certain actions will not be available in Odoo (for example ‘Create and Edit’, and the ‘Create’ button).

This is important to understand, and Odoo demonstrations or YouTube videos will often be done using a high-level of access that a normal user would not have!

Of course, you can configure your system however you want, and you may choose to make things “easy” for users or add more controls.

Record Rules

Record Rules control access to records within a Model (database table), as explained here.

These are the Record Rules for the “Sales / Own Documents” group:

  • The “Personal” rules limit this group to their own sales orders only, plus any orders that are not owned by anyone.
  • They also have full access to all records of other models (this implies that other users have access to some records only, because otherwise there would be no need for Record Rules on these Models).

The “all documents” group have access to all records through the domain [(1,'=',1)] (which is always true).

The Sales Administrator group doesn’t need additional access because it inherits full access from the “All Documents” group.

Other access rights

Note that this menu option does not allow you to review all the access rights for a group. You can find more information elsewhere, including:

  • ‘Security’ tab for Fields and Windows Actions in Technical Settings.
  • Within XML views or Python source code

Technical user access groups

As well as Application access groups (described above), Odoo has what are called “Technical” groups. These are only visible on the User profile in Developer Mode (as shown here).

In principle, these are no different to the Application Access Groups, but they each serve a much more limited purpose and grant less access

  • None of these groups have Record Rules
  • Only two Technical Groups (in Odoo 13) grant Model Access
    1. Analytic Accounting
    2. Manage Mass Mail Campaign
  • Some Groups grant access to Views and Menus.
  • Some don’t directly grant any access at all.
    • Instead Odoo functionality may be conditioned on whether a user is a member of one of these “Technical” groups, and you will need to search through XML Views and Python code to confirm.

Examples:

  • “Manage Product Variants” grants access to Menus
  • “Manage Multiple Stock Locations” grants access to Menus and Views
  • “Analytic Accounting” grants access to Menus, Views and Models
  • “Addresses in Sales Orders” doesn’t grant any access, but is used in XML
    • <field name="partner_shipping_id" groups="sale.group_delivery_invoice_address">

Extra Rights and Other access groups

Contact Creation

This grants a user full access to Contacts (res.partner) and a number of other Models, and Read access to another group of Models.

Multi-Company & Multi-Currency

These can be considered as system ‘flags’ that are used within Odoo.

Technical Features

This is used to grant users access to several ‘configuration’ menus that are available in Developer mode.

Access to Private Addresses

This enables a Record Rule. More details here

Access

Access for a user is a combination of the permissions (Read, Write, Create and Delete) from all the groups assigned to them.

This applies both for Models and Records (i.e. Record Rules).

So a user could have

  • Write access to a Model from one group and Delete access from another group
  • and also Write access to (all or selected) records from one group and Delete access from another group.

This can become quite complex if users have access to multiple applications, and you may find that they can do things that they shouldn’t be able to do!

That’s because both Models and Access Groups are used across applications

Note also that:

  • User’s authorization to menu items will limit what they can do:
    • You can change this if required
    • However, removing access to menus may not fully limit access because there may be links within the application (for example, click on a product to display – and edit – information about the product)
  • The design of the application may add further restrictions

So, in summary, User Access Groups define access given to groups of users in an Odoo database. They standardize and simplify user access so that setting up a user should be fairly simple, but there is quite a lot of complexity that you really ought to understand.

Making changes can be tricky, but not making any changes (or at least not reviewing the standard setup) could cause bigger problems.

2 thoughts on “User Access Groups and more about access

  1. Is it possible to create a way where there are 7 apps and I create 7 groups, if the user is added to the groups then only we can see the top menus.
    For eg: the CRM app has a group name “CRM Menu” if the user is added to “CRM Menu” then only we can see the CRM top level menu.
    If it is possible then how?

    Like

    Reply

  2. I have two companies, A and B. I would like my employees to have access to view the employee module of both companies, but I only want them to be able to edit or modify the employee module of company A. Is it possible to configure this process?

    Like

    Reply

Leave a comment