Access Rights in Odoo 18.0

Access rights are fundamental permissions that govern the content and applications users can access and modify within Odoo. These crucial permissions can be precisely configured for individual users or for various user groups. By limiting access to only those who require it, organizations can effectively prevent unauthorized modifications or deletions of sensitive data, ensuring data integrity and system security.

Managing Individual User Access Rights

Access rights for individual users are initially established when a user account is created in the database. However, these permissions are not static and can be adjusted at any time through the user’s profile. This flexibility allows administrators to adapt permissions as user roles and responsibilities evolve.

To modify a user’s access rights, navigate to Settings > Users & Companies > Users and click on the desired user's name to open their profile for editing.

Within the user’s profile page, locate the Access Rights tab. Scroll down to review the currently assigned permissions for various applications.

For each application listed, utilize the drop-down menu to select the appropriate level of permission for that user. The available options will vary depending on the application, but common choices typically include: "Blank/None" (no access), "User: Own Documents" (access only to documents created by the user), "User: All Documents" (access to all documents within the app), or "Administrator" (full administrative control over the app).

Additionally, the Administration field within the Access Rights tab offers options such as "Settings" or "Access Rights," allowing for granular control over administrative capabilities.

Creating and Modifying User Groups

Groups in Odoo provide an efficient way to manage common access rights for a large number of users. These are app-specific sets of permissions that streamline the administration process. Administrators have the capability to modify existing groups or create entirely new ones to define specific rules for models within an application.

To access and manage groups, it is first necessary to activate Odoo’s developer mode. Once activated, navigate to Settings > Users & Companies > Groups.

To create a new group, click the Create button from the Groups page. A blank group form will appear, where you can select an Application and complete the remaining details of the group form as outlined below. To modify an existing group, simply click on its name from the list displayed on the Groups page and proceed to edit its contents.

Begin by entering a descriptive Name for the group. If this group is intended to manage access rights for sharing data with other users, ensure to tick the checkbox next to Share Group.

The group form is organized into several tabs, each dedicated to managing different elements of the group's configuration. In each tab, you can click Add a line to introduce a new row for users, rules, or other configurations, and click the (cross mark) icon to remove an existing row.

• Users tab: This tab displays a list of all users currently assigned to the group. Users with administrative rights within the group are typically listed in black, while users without administrative access appear in blue. To add more users to this group, click Add a line.
• Inherited tab: Groups listed in this tab mean that any user added to the current group will automatically inherit membership in the listed groups as well. This feature simplifies access management for complex organizational structures. To add inherited groups, click Add a line.

  Example: If the 'Sales/Administrator' group includes 'Website/Restricted Editor' in its Inherited tab, then any user assigned to the 'Sales/Administrator' group will automatically gain access to the 'Website/Restricted Editor' group's permissions.

• Menus tab: This tab allows you to define which specific menus and, by extension, which models within applications, the group members can access. To grant access to a specific menu, click Add a line and select the desired menu.
• Views tab: Here, you can specify which views (e.g., list, form, Kanban views) within Odoo the group has access to. Click Add a line to add a particular view to the group's permissions.
• Access Rights tab: This tab details the primary level of rights (models) that this group possesses. The Name column provides a descriptive label for the current group’s access to the model selected in the Model column. To link a new access right to a group, click Add a line. Select the appropriate model from the Model drop-down menu, then enter a meaningful name for the access right in the Name column. For each model, you can enable the following options as needed:
  • Read: Users can view the object’s existing data and values.
  • Write: Users can modify the object’s existing data and values.
  • Create: Users can generate new records or values for the object.
  • Delete: Users can remove records or values from the object.

  Tip: Naming Conventions for Access Rights

  While there are no strict conventions for naming access rights, adopting a clear and descriptive naming strategy is highly recommended to easily identify their purpose. For instance, the access that purchase managers have to the Contact model could be named res.partner.purchase.manager. This name combines the technical name of the model (res.partner) with a clear identifier for the group of users (purchase.manager).

  

  To find a model’s technical name from the current view, you can first enter a placeholder text in the Name field. Then, click on the Model name itself, followed by the (internal link) icon. This action will typically reveal the technical name of the model.

• Record Rules: These rules represent a secondary layer of editing and visibility rights that can either override or further refine the group’s existing access rights. Record rules are powerful tools for implementing granular data security. To add a new record rule to this group, click Add a line. For each rule, you will need to choose values for the following options, determining how the rule applies:
  • Apply for Read: Determines if the rule affects reading data.
  • Apply for Write: Determines if the rule affects writing data.
  • Apply for Create: Determines if the rule affects creating new data.
  • Apply for Delete: Determines if the rule affects deleting data.

  Important: Understanding Domain Expressions

  Record rules are constructed using a domain, which consists of specific conditions used to filter data. A domain expression is essentially a list of these conditions. For example, consider the following domain:

  [('mrp_production_ids', 'in', user.partner_id.commercial_partner_id.production_ids.ids)]

  This particular record rule is designed to enable MRP consumption warnings specifically for subcontractors. Odoo provides a comprehensive library of preconfigured record rules for convenience. However, users who are unfamiliar with domain expressions should always consult an Odoo Business Analyst or the Odoo Support Team before attempting to make any changes to record rules, due to their potential impact on data visibility and modification.

Understanding Superuser Mode

Superuser mode in Odoo grants a user the ability to bypass all standard record rules and access rights. This powerful mode is typically used for advanced troubleshooting, data recovery, or specific administrative tasks that require unrestricted access. To activate Superuser mode, you must first enable developer mode. Subsequently, navigate to the debug menu, which is identified by a (bug) icon, located in the top banner of your Odoo interface. Finally, near the bottom of the debug menu, click Become Superuser.

To exit Superuser mode, simply log out of the account. This can be done by navigating to the upper-right corner of the Odoo interface, clicking on the OdooBot username, and then selecting the Log out option from the drop-down menu.