Access rights are fundamental permissions that govern what content and applications users can view, access, and modify within Odoo. These crucial permissions can be configured for individual users or assigned to groups of users. By judiciously limiting permissions to only those who require them, organizations can effectively prevent unauthorized modifications or deletions of sensitive data, thereby enhancing the overall security and integrity of their Odoo database.

It is important to note that only an administrator with appropriate privileges has the authority to alter access rights.

Danger: Modifying access rights carries significant risks and can adversely impact the database's functionality. A severe consequence is experiencing impotent admin, a state where no user in the database possesses the ability to make changes to access rights or critical settings. Due to these potential risks, Odoo strongly recommends consulting with an Odoo Business Analyst or their Support Team before implementing any changes to access rights.

Tip: For a user to be able to modify another user’s access rights settings, they must have specific Administration access rights configured on their own user profile. To enable this, an existing administrator needs to navigate to Settings > Users & Companies > Users. Once there, locate the desired user, edit their profile, and change the setting in the Administration field to Access Rights. After this modification, click Save to apply the changes and grant the user administrator privileges for managing access rights.

Users and Individual Access Rights

Access rights for individual users are typically established when a user is first added to the Odoo database. However, these permissions are not static and can be adjusted at any time through the user's profile. To modify a user's permissions, an administrator should navigate to Settings > Users & Companies > Users and then click on the specific user whose profile needs editing.

Users menu in the Users & Companies section of the Settings app of Odoo.

Within the user’s profile page, locate the Access Rights tab. Scrolling down in this section will reveal the user’s currently assigned permissions across various applications. For each Odoo application, a drop-down menu allows administrators to select the appropriate level of access. Common options include: Blank/None (no access), User: Own Documents (access only to documents created or owned by the user), User: All Documents (access to all documents within that application), or Administrator (full administrative control over the application).

Furthermore, the Administration field within the Access Rights tab offers two critical options: Settings or Access Rights. Selecting "Access Rights" grants the user the ability to manage other users' access permissions, as mentioned in the tip above. Choosing "Settings" provides broader access to Odoo's general configuration settings.

The Sales apps drop-down menu to set the user's level of permissions.

Managing and Modifying Access Groups

Groups in Odoo are application-specific collections of permissions designed to streamline the management of common access rights for a large number of users. Administrators possess the flexibility to modify existing groups within Odoo or to create entirely new ones, enabling them to define precise rules for models within a specific application.

To access and manage groups, it is first necessary to activate Odoo's developer mode. Once developer mode is active, navigate to Settings > Users & Companies > Groups.

Groups menu in the Users & Companies section of the Settings app of Odoo.

From the Groups page, administrators can create a new group by clicking the Create button. A blank group form will appear, requiring the selection of an Application and the completion of various group details. Alternatively, to modify an existing group, simply click on its name from the list displayed on the Groups page and proceed to edit its contents.

When creating or editing a group, you will need to enter a Name for the group. If the purpose of this group is to define access rights for sharing data with certain users, ensure that the checkbox next to Share Group is ticked.

The group form is organized into multiple tabs, each dedicated to managing specific elements of the group's configuration. Within each tab, clicking Add a line allows for the addition of new rows for users, rules, or other settings, while clicking the (cancel) icon effectively removes an existing row.

Tabs in the Groups form to modify the settings of the group.
  • Users tab: This tab displays a list of all current users who are members of this group. Users with administrative rights within the group are indicated in black, while users without administrative access appear in blue. To include additional users in this group, simply click Add a line and select the desired users.
  • Inherited tab: Groups listed in this tab mean that any user added to the current group will automatically inherit membership in these listed groups as well. To add more inherited groups, click Add a line.

    Example: If the Sales/Administrator group includes the Website/Restricted Editor group in its Inherited tab, then any user assigned to Sales/Administrator will automatically gain access to the permissions defined within the Website/Restricted Editor group.

  • Menus tab: This section is used to define which specific Odoo menus (and consequently, the models they represent) the group members will have access to. To grant access to additional menus, click Add a line and select the relevant menu.
  • Views tab: Here, administrators can specify which particular views within Odoo the group has permissions to access. To add a view to the group’s access, click Add a line.
  • Access Rights tab: This tab details the primary level of access rights, focusing on models, that this group possesses. The Name column provides a descriptive identifier for the group’s access to the model selected in the Model column. To link a new access right to a group, click Add a line. From the Model drop-down menu, select the appropriate model, and then enter a descriptive name for the access right in the Name column. For each model, the following permissions can be enabled as necessary:
    • Read: Allows users to view the object's existing values.
    • Write: Permits users to modify the object's existing values.
    • Create: Grants users the ability to create new values for the object.
    • Delete: Enables users to remove values for the object.

    Tip: While there are no strict naming conventions for access rights, adopting a clear and descriptive naming strategy is highly advisable to easily identify its purpose. For instance, the access permissions that purchase managers have to the Contact model could be aptly named res.partner.purchase.manager. This structure typically combines the technical name of the model with an identifier for the specific group of users in question.

    Name of access rights to a model.

    To ascertain a model’s technical name directly from the current view, first input a placeholder text into the Name field. Subsequently, click on the Model name itself, and then select the (Internal link) icon that appears. This action will typically reveal the model's technical identifier.

  • Record Rules: This tab allows for the definition of a second, more granular layer of editing and visibility rights. Record Rules are powerful tools that can either overwrite or further refine the group’s existing access rights. To add a new record rule to this group, click Add a line. For each rule, configure the relevant options:
    • Apply for Read: Determines if the rule applies when reading data.
    • Apply for Write: Determines if the rule applies when writing data.
    • Apply for Create: Determines if the rule applies when creating new data.
    • Apply for Delete: Determines if the rule applies when deleting data.

    Important: Record rules are formulated using a domain, which consists of conditions that filter data. A domain expression is a structured list of such conditions. For example: [('mrp_production_ids', 'in', user.partner_id.commercial_partner_id.production_ids.ids)]. This specific record rule is designed to enable MRP consumption warnings for subcontractors. Odoo provides a library of preconfigured record rules for convenience. However, users who lack familiarity with domain expressions are strongly advised to consult an Odoo Business Analyst or the Odoo Support Team before attempting to make any modifications to record rules.

Understanding and Activating Superuser Mode

Superuser mode is a specialized function that empowers a user to bypass all standard record rules and access rights within Odoo. To activate Superuser mode, you must first enable developer mode. Once developer mode is active, navigate to the debug menu, which is typically represented by a (debug) icon, located in the top banner of the Odoo interface. Finally, towards the bottom of the debug menu, click on Become Superuser.

Important: Access to Superuser mode is strictly limited. Only users who possess Settings access within the Administration section of their Access Rights (as defined in their user profile) are authorized to log in as a Superuser.

Danger: The activation of Superuser mode allows for the complete circumvention of all record rules and access rights, granting unrestricted database access. Consequently, this mode must be exercised with extreme caution. There is a significant risk that upon exiting Superuser mode, users may find themselves locked out of the database due to unintended changes made while in this privileged state. Such an event can lead to impotent admin, a situation where no administrator retains the ability to modify access rights or settings. Should this occur, it is imperative to contact Odoo Support immediately by submitting a new help ticket. The Odoo support team possesses the necessary tools and capabilities to restore access using a dedicated support login.

To safely exit Superuser mode, the most straightforward method is to log out of the current account. This can be done by navigating to the upper-right corner of the Odoo interface, clicking on the OdooBot username, and then selecting the Log out option.

Tip: An alternative and direct way to activate Superuser mode is during the login process. When at the Odoo login screen, enter your appropriate Email and Password as usual. Instead of clicking the standard Login button, click the specialized Log in as superuser option.

Was this answer helpful? 0 Users Found This Useful (0 Votes)

Most Popular Articles

How to Setup Email Accounts in cPanel

Setting Up Email Accounts in cPanelThis guide will walk you through the process of creating and...
Understand Workflow Triggers

Understanding Workflow Triggers for Metanow CRM Integrations Workflow triggers in Metanow CRM are...
ModSecurity® 3

ModSecurity® 3 - Metanow CRM ModSecurity® 3 Overview ModSecurity...
The Ultimate Guide to Voicemail: Everything You Need to Know

The Ultimate Guide to Voicemail: Everything You Need to Know Understanding Voicemail: A Brief...
Gain Insights into Every Association | Features

Gain Comprehensive Insights into Every Association | Metanow CRM Features Association Deep...