Security tutorial


Odoo is very flexible on the subject of security. We can control what users can do and what they cannot on different levels. Also we can control independently each of the four basic operations: read, write, create, unlink. I.e. allow only read, allow only create, grant permission to create or delete only.

On fields/menu level we can:
  • hide fields or menus for some users and show them for others
  • make fields readonly for some users and make them editable for others
  • show different variants to pick on the Selection fields for different users

On the fields level of security res.users and res.groups models are used. These models relate to each other as many2many. This means that a user can be a member of many groups and one group can be assigned to many users.

One example of how we can hide menu in regard to current user’s groups is the following.


On the picture above in Settings / Users we can see only Users menu. We know that there should be Groups menu also. Let Us see in ./openerp/addons/base/res/res_users_view.xml on the point of how menuitem can be hidden.

<record id="action_res_groups" model="ir.actions.act_window">
   <field name="name">Groups</field>
   <field name="type">ir.actions.act_window</field>
   <field name="res_model">res.groups</field>
   <field name="view_type">form</field>
   <field name="help">A group is a set of functional areas that will be assigned to the
   user in order to give them access and rights to specific applications and tasks in
   the system. You can create custom groups or edit the ones existing by default
   in order to customize the view of the menu that users will be able to see. Whether
   they can have a read, write, create and delete access right can be managed from here.
<menuitem action="action_res_groups" id="menu_action_res_groups" parent="base.menu_users"

The groups attribute in the menuitem element shows us that only the members of base.group_no_one group can see the Groups menu item. The base.group_no_one xmlid is defined in the ./openerp/addons/base/security/base_security.xml as follows.

<record model="res.groups" id="group_erp_manager">
    <field name="name">Access Rights</field>
<record model="res.groups" id="group_system">
    <field name="name">Settings</field>
    <field name="implied_ids" eval="[(4, ref('group_erp_manager'))]"/>
    <field name="users" eval="[(4, ref('base.user_root'))]"/>

<record model="res.groups" id="group_user">
    <field name="name">Employee</field>
    <field name="users" eval="[(4, ref('base.user_root'))]"/>

<record model="res.groups" id="group_multi_company">
    <field name="name">Multi Companies</field>

<record model="res.groups" id="group_multi_currency">
    <field name="name">Multi Currencies</field>

<record model="res.groups" id="group_no_one">
    <field name="name">Technical Features</field>

<record id="group_sale_salesman" model="res.groups">
    <field name="name">User</field>
<record id="group_sale_manager" model="res.groups">
    <field name="name">Manager</field>
    <field name="implied_ids" eval="[(4, ref('group_sale_salesman'))]"/>

Here we can see the group_no_one along with the other base groups. Note that group_no_one has Technical Features name. Let us include our user in the Technical Features group. Since we have no access to the Groups menu item, the only way we can do it is from the Users menu item. See the picture below.


Check the Technical Features box and reload odoo. Now we can see the Groups menu item!


From Settings / Users / Groups we can see a list of existing groups. Here we also can assign users for groups.

Hide fields

In the ./openerp/addons/base/res/res_users_view.xml we can see the view_users_simple_form view. Note here that the company_id field is visible only for members of the base.group_multi_company group.

<!-- res.users -->
<record id="view_users_simple_form" model="ir.ui.view">
    <field name="name">res.users.simplified.form</field>
    <field name="model">res.users</field>
    <field name="priority">1</field>
    <field name="arch" type="xml">
        <form string="Users">
                <field name="id" invisible="1"/>
                <div class="oe_form_box_info oe_text_center" style="margin-bottom: 10px" attrs="{'invisible': [('id', '>', 0)]}">
                    You are creating a new user. After saving, the user will receive an invite email containing a link to set its password.
                <field name="image" widget='image' class="oe_avatar oe_left" options='{"preview_image": "image_medium"}'/>
                <div class="oe_title">
                    <label for="name" class="oe_edit_only"/>
                    <h1><field name="name"/></h1>
                    <field name="email" invisible="1"/>
                    <label for="login" class="oe_edit_only" string="Email Address"/>
                        <field name="login" on_change="on_change_login(login)"
                    <label for="company_id" class="oe_edit_only" groups="base.group_multi_company"/>
                    <field name="company_id" context="{'user_preference': 0}" groups="base.group_multi_company"/>
                    <label for="groups_id" string="Access Rights"
                            attrs="{'invisible': [('id', '>', 0)]}"/>
                    <div attrs="{'invisible': [('id', '>', 0)]}">
                        <field name="groups_id" readonly="1" widget="many2many_tags" style="display: inline;"/> You will be able to define additional access rights by edi ting the newly created user under the Settings / Users menu.
                    <field name="phone"/>
                    <field name="mobile"/>
                    <field name="fax"/>

Our current user is Administrator. By default he is not a member of the base.group_multicompany group. That is why the company_id isn’t visible for him on the form.

Model records:
  • restrict access to specified subset of records in model
  • restrict access to all records of model