Aside from manually managing access using custom code, Odoo provides two main data-driven mechanisms to manage or restrict access to data.
Both mechanisms are linked to specific users through groups: a user belongs to any number of groups, and security mechanisms are associated to groups, thus applying security mechamisms to users.
Managed by the ir.model.access records, defines access to a whole model.
Each access control has a model to which it grants permissions, the permissions it grants and optionally a group.
Access controls are additive, for a given model a user has access all permissions granted to any of its groups: if the user belongs to group A which allows writing and group B which allows deleting, he can both write and delete.
If no group is specified, the access control applies to all users, otherwise it only applies to the users belonging to the specific group.
Available permissions are creation (perm_create), searching and reading (perm_read), updating existing records (perm_write) and deleting existing records (perm_unlink)
Record rules are conditions that records must satisfy for an operation (create, read, update or delete) to be allowed. It is applied record-by-record after access control has been applied.
A record rule has:
Global rules and group rules (rules restricted to specific groups versus groups applying to all users) are used quite differently:
This means the first group rule restricts access, but any further group rule expands it, while global rules can only ever restrict access (or have no effect).
record rules do not apply to the Administrator user
although access rules do
New in version 7.0.
An ORM Field can have a groups attribute providing a list of groups (as a comma-separated string of external identifiers).
If the current user is not in one of the listed groups, he will not have access to the field:
Workflow transitions can be restricted to a specific group. Users outside the group can not trigger the transition.