Access Rights in Odoo 18.0: A Comprehensive Guide

Access rights are fundamental permissions that define which content and applications users can view, access, and modify within Odoo. These crucial permissions can be configured for individual users or for predefined groups of users. By carefully restricting permissions to only those who genuinely require them, organizations can safeguard data integrity and prevent unauthorized modifications or deletions of sensitive information.

It is important to note that only an administrator possesses the authority to alter access rights within the Odoo system.

Danger: Modifying access rights carries significant risks and can have severe, detrimental impacts on the database. A critical concern is the potential for creating an "impotent admin" situation, where no user in the database retains the ability to make further changes to access rights. Given these potential risks, Odoo strongly advises consulting with an Odoo Business Analyst or the Odoo Support Team before implementing any changes to access rights.

Tip: For a user to be able to modify another user's access rights, their own user profile must explicitly have the "Administration" access rights set to "Access Rights."

To enable a user to manage access rights, an existing administrator must navigate to the user's profile. Within the user's profile, locate the "Administration" field in the "Access Rights" tab. Change the setting in this field to "Access Rights." After making this crucial adjustment, remember to click "Save" to apply the changes, thereby implementing the user as an administrator with access rights management capabilities.

Users

The access rights for individual users are initially configured when they are added to the Odoo database. However, these permissions are not static and can be modified or adjusted at any point directly within the user’s profile.

To modify a user’s specific access rights, begin by navigating to the "Users & Companies" section within the "Settings" app. From there, select the desired user to open and edit their individual profile.

Once on the user’s profile page, proceed to the "Access Rights" tab. Here, you can review the currently assigned permissions. For each Odoo application, a drop-down menu allows you to precisely select the appropriate level of permission for the user. While options may differ slightly across applications, common choices typically include: "Blank/None" (no access), "User: Own Documents" (access limited to documents created by the user), "User: All Documents" (access to all documents within that application), or "Administrator" (full administrative control for the application). Additionally, the "Administration" field within this tab offers specific options: "Settings" or "Access Rights," controlling broader administrative capabilities.

Create and Modify Groups

Groups in Odoo represent app-specific collections of permissions designed to streamline the management of common access rights for a larger number of users. Administrators possess the flexibility to either modify the existing default groups within Odoo or establish entirely new groups to meticulously define rules for models within a particular application.

To access and manage groups, it is first necessary to activate Odoo’s developer mode. Once activated, navigate to Settings > Users & Companies > Groups.

From the "Groups" page, you have two primary options: to create a new group or modify an existing one. To create a new group, click the "Create" button. A blank group form will appear, prompting you to select an "Application" and then complete the remaining fields, as detailed in the following sections. Alternatively, to modify an existing group, simply select it from the list presented on the "Groups" page and proceed to edit its form. When creating or editing, ensure you provide a descriptive "Name" for the group. Additionally, if the group is intended to manage access rights for sharing data with specific users, remember to tick the checkbox labeled "Share Group."

Important: It is crucial to always thoroughly test any changes made to group settings to confirm that the desired access rights are being correctly applied to the intended users and that no unintended side effects occur.

The comprehensive group form is organized into several tabs, each dedicated to managing distinct elements of the group's configuration. Within each tab, you can easily add new entries, such as users or rules, by clicking "Add a line." Conversely, to remove an existing entry, simply click the (cancel) icon associated with that row.

Users Tab

The Users tab provides a clear overview of all users currently assigned to this group. Users displayed in black typically indicate those with administrative rights within the group, while users appearing in blue denote standard members without administrative access. To expand the group's membership, click "Add a line" and select the desired users.

Inherited Tab

The Inherited tab allows for the automatic inclusion of users into other specified groups. Essentially, when a user is added to the current group, they will automatically gain membership, and thus the associated permissions, of any groups listed on this tab. To establish these hierarchical relationships, click "Add a line" and select the groups you wish to inherit.

Example: Consider a scenario where the "Sales/Administrator" group includes the "Website/Restricted Editor" group in its Inherited tab. In this configuration, any user subsequently added to the "Sales/Administrator" group will automatically also be granted access to the "Website/Restricted Editor" group, streamlining permission assignments across related functions.

Menus Tab

The Menus tab is where you define which specific menus and, by extension, which underlying models, the members of this group are permitted to access. To grant access to additional functionalities, click "Add a line" and select the desired menu items.

Views Tab

The Views tab details the specific Odoo views that members of this group are authorized to see and interact with. To broaden the group's visibility to other views, click "Add a line" and specify the views you wish to include.

Access Rights Tab

The Access Rights tab manages the foundational level of permissions, specifically defining the group's rights over various Odoo models. The "Name" column is used to provide a descriptive identifier for the group's access to the model selected in the "Model" column.

To establish a new access right for a group, click "Add a line." First, select the relevant model from the "Model" drop-down menu. Next, assign a meaningful name for this specific access right in the "Name" column. For each chosen model, you can enable a combination of the following granular options:

• Read: This permission allows users to view and inspect the existing values and data associated with the object or record.
• Write: With this right, users gain the ability to modify, update, and edit the existing values of the object or record.
• Create: This option empowers users to generate and add new instances or values for the object, expanding the database.
• Delete: Granting this permission enables users to permanently remove or delete existing values and records from the object.

Tip: Although Odoo does not enforce strict naming conventions for access rights, adopting a descriptive naming strategy is highly recommended. A clear name should effectively communicate the purpose and scope of the access right. For instance, an access right defining what purchase managers can do with the Contact model might be aptly named res.partner.purchase.manager. This structure typically combines the technical name of the model with a clear identifier for the user group or role it applies to.

To identify the technical name of a model directly from the current view, you can first enter any placeholder text into the "Name" field. Subsequently, click on the "Model" name itself, and then select the (Internal link) icon that appears. This action will reveal the underlying technical identifier of the model, which is essential for precise configuration.

Record Rules

Record Rules introduce a sophisticated second layer of control over editing and visibility, allowing for fine-grained permissions. These rules effectively override or further refine the broader access rights defined for a group. To implement a new record rule for the group, click "Add a line." For each rule, you must specify its application across the following operations:

• Apply for Read: Determines if the rule affects the ability to view records.
• Apply for Write: Determines if the rule affects the ability to modify records.
• Apply for Create: Determines if the rule affects the ability to create new records.
• Apply for Delete: Determines if the rule affects the ability to delete records.

Important: Record rules are constructed using a domain, which serves as a set of conditions that filter data. A domain expression is essentially a list of these specific conditions. For example, the domain:

[('mrp_production_ids', 'in', user.partner_id.commercial_partner_id.production_ids.ids)]

is a record rule designed to enable MRP consumption warnings specifically for subcontractors. Odoo provides a comprehensive library of preconfigured record rules to facilitate ease of use. However, for users unfamiliar with domain syntax and expressions, it is strongly recommended to consult an Odoo Business Analyst or the Odoo Support Team before attempting to make any modifications.

Superuser Mode

Superuser mode in Odoo grants a user the ability to bypass all standard record rules and access rights, providing unrestricted access to the database. To activate this powerful mode, you must first enable developer mode. Subsequently, navigate to the _debug_ menu, which is typically represented by a (debug) icon located in the top banner of the Odoo interface.

Finally, towards the bottom of the debug menu, click on "Become Superuser" to activate the mode.

Important: Access to Superuser mode is strictly limited to users who possess "Settings" access within the "Administration" section of "Access Rights" in their user profile. This safeguard ensures that only highly authorized personnel can utilize this elevated privilege.

Danger: Superuser mode provides the capability to circumvent all established record rules and access rights, a power that demands extreme caution. Improper use can lead to serious consequences, including users being locked out of the database upon exiting the mode due to critical changes made while in superuser status. This scenario can result in an "impotent admin," where an administrator loses the ability to modify access rights or settings. Should such an issue occur, it is imperative to immediately contact Odoo Support by submitting a new help ticket. The Odoo support team possesses the necessary tools to restore access using a dedicated support login.

To safely exit Superuser mode, users must log out of their account. This is done by navigating to the upper-right corner of the Odoo interface, clicking on the username (typically "OdooBot" in developer mode), and then selecting the "Log out" option from the drop-down menu.

Tip: An alternative method to activate Superuser mode involves logging in directly as a superuser. From the Odoo login screen, after entering the correct Email and Password, instead of clicking the standard "Login" button, select the "Log in as superuser" option.