Odoo is very flexible in terms of security and can control what users do at different levels. At the same time, we can also independently operate the four basic operations of adding, reading, writing, and deleting.
view level
We can do this at the field /menu level:
- Show or hide fields for certain users
- Make fields read-only for some users and editable for others
- For different users, display different variables for selecting fields
Just add the groups attribute, for example: .
<menuitem id="main_budget_manage_menu" name="Budget Manage" groups="hrp_budget_manage.hrp_budgetm"/>
At the field security level, you want to use res.users
and res.groups
models that are in a many-to-many relationship with each other.
Some user groups built into the Odoo system ./openerp/addons/base/security/base_security.xml
are defined in this file:
<record model="res.groups" id="group_erp_manager">
<field name="name">Access Rights</field>
</record>
<record model="res.groups" id="group_system">
<field name="name">Settings</field>
<field name="implied_ids" eval="[(4, ref('group_erp_manager'))]"/>
<field name="users" eval="[(4, ref('base.user_root'))]"/>
</record>
<record model="res.groups" id="group_user">
<field name="name">Employee</field>
<field name="users" eval="[(4, ref('base.user_root'))]"/>
</record>
<record model="res.groups" id="group_multi_company">
<field name="name">Multi Companies</field>
</record>
<record model="res.groups" id="group_multi_currency">
<field name="name">Multi Currencies</field>
</record>
<record model="res.groups" id="group_no_one">
<field name="name">Technical Features</field>
</record>
<record id="group_sale_salesman" model="res.groups">
<field name="name">User</field>
</record>
<record id="group_sale_manager" model="res.groups">
<field name="name">Manager</field>
<field name="implied_ids" eval="[(4, ref('group_sale_salesman'))]"/>
</record>
The data model is defined in res_users.py
and the main fields are as follows:
'users': fields.many2many('res.users', 'res_groups_users_rel', 'gid', 'uid', 'Users'),
'model_access': fields.one2many('ir.model.access', 'group_id', 'Access Controls', copy=True),
'rule_groups': fields.many2many('ir.rule', 'rule_group_rel',
'group_id', 'rule_group_id', 'Rules', domain=[('global', '=', False)]),
'menu_access': fields.many2many('ir.ui.menu', 'ir_ui_menu_group_rel', 'gid', 'menu_id', 'Access Menu'),
'view_access': fields.many2many('ir.ui.view', 'ir_ui_view_group_rel', 'group_id', 'view_id', 'Views'),
'category_id': fields.many2one('ir.module.category', 'Application', select=True),
users : Specifies the users in the group.
menu_access : Specifies which menus are accessible within the group, at the view level .
view_access : Specifies the accessible views within the group, at the view level .
rule_groups : Specifies the rules within the group, record level, a subset of records for a given model, at the real object level .
model_access : specifies the model in the group, and controls the access to the model at the real object level .
category_id : Specifies the Odoo Module category to which the group belongs.
implied_ids : Specifies the permissions inherited from the specified group.
object level
These access rights are usually defined in ir.model.access.csv
and the data is stored in ir_model_acess
tables such as:
id,name,model_id/id,group_id/id,perm_read,perm_write,perm_create,perm_unlink
access_idea_idea,idea.idea,model_idea_idea,base.group_user,1,1,1,0
id : The external identification ID, that is, the XML ID, is unique.
name : Descriptive title, preferably eye-catching and unique.
model_id : The external identification ID of the data model we want to access. ORM will automatically generate this ID by default.
group_id : The permission group to be granted, XML ID.
perm_curd : is the specific permission assignment.