The management of rights and permissions in Odoo is a comprehensive and complex topic. In this article, we would like to give you a brief insight into how rights and permissions for users and data are assigned in Odoo and how you can optimally adjust, set up and configure them to ensure the security of your company and your data.
User:
Basically, Odoo distinguishes between three user types:
1. Portal
2. Public
3. Internal user
This is the first level within the database where it is decided what data a user can see and what they have access to.
Portal and public users
They do not belong to the usual odoogroups, but they have access rights to certain data and menus. Thus, at any time in the contact module, you can grant a customer portal access, for example, that he has access to his orders or tickets created by him.
Internal user
These are all employees who have direct access to the database in order to perform their daily tasks. To grant employees this access, they must be created as users.
Administrators can do this in the settings via: "Manage users" or via the menu Users and Companies → Users. After entering the name and e-mail address, the basic settings and access permissions are made.
First, all access rights applicable to the user are set in the Access Rights tab. In multicompany environments, the allowed companies for the user are defined first. After that, all apps activated in the database are listed. The user is added here based on his role in the company in so-called groups in the respective apps.
Note that by default all newly created users have administrative roles in all apps, so setting access permissions is especially important here.
Furthermore, in the Settings tab (2.) the user language, the time zone as well as the notifications and the e-mail signature can be set. In the Account Security tab, the administrator of the database can also decide whether the user must authenticate via two-factor.
If the system is connected via an e-mail server, the user can be informed via the "Send an invitation e-mail" button that he can register in Odoo.
Groups in Odoo:
Odoo has predefined user roles for each app, which differ according to their access rights to data and views.
Basically, the following is regulated: If a user is not to be given access to a particular app, it is left blank in the app assignment. Based on this, users of an app are granted access to it, with limited functions. Administrators, on the other hand, have the full functionality of the app at their disposal and can also make settings and configurations. For certain apps, there are intermediate levels where the assignment of rights is structured in more detail.
It should be noted that each higher user group has all the access rights of those below it. Here is an example:
In the sales app, a distinction is made between
1. User: Only own documents
2. User: All documents
3. Administrator
If Lieschen Müller has access to the 1st group, she has access only to her own created offers and sales orders.
If Lieschen Müller gets access to all documents (group 2), she can also see the offers and orders of the other employees:
If Lieschen Müller is the administrator of the sales department, she also has access to the settings and the reporting system:
The overview of the groups of the respective applications, as well as the rights defined in them can be viewed in the settings.
Groups and their configurations:
As mentioned above, Odoo defines user rights via groups. This means that you can easily manage your employees based on their roles and tasks in the company and grant or deny them access.
The groups can be found in activated developer mode in the Settings → Users and companies.
Here you can also add new groups with the corresponding configurations.
The groups are structured according to the following scheme:
1. Application on which the group accesses:
This is where you set which app this group is defined to access. If this is left blank, a general group to be defined can also be created.
2. The name of the group:
Each group can be given a unique, translatable name here.
3. Users:
In this register group all users are added, which are intended for this role in the company.
4. Inherit:
Users in this group automatically inherit the membership of the groups stored here.
It is important to know that if users are added in the settings of an application, these are added by the group definition of the inheritance under circumstances also to other groups. This is also the reason for the example mentioned above, where Lieschen Müller, as an administrator in the sales department, is automatically also a member of the group "User: All documents" and thus automatically also a member of the group "User: Only own documents" and thus receives all rights from the groups below.
5. Menus:
Here you define which menus the users have access to in this application or in other applications. This way you can also define that an employee with less rights can see an additional menu without allowing him to be in a higher rights group. For example, you can define that the users in the group "User: All documents" will have additional access to the Reporting menu in Sales, but not to the configurations as the administrator has. It is also important to pay attention to tabs 7 and 8.
6. Views:
These views can be seen by the users.
7. Access rights:
In this tab the access rights on model level are defined. A distinction is made as to whether the user has read, write, object creation and deletion rights for the respective object.
8. Rights for data:
Here, in an additional level, it is defined to which data sets the group members have access, also with the distinction read, write, object-create and delete right of the respective data set. The specification of the domain defines when the user has the right to see and/or edit this record.
9. Notes:
Here is the definition of the group and other information in plain text.
Further settings and overviews:
All of the above access rights and permissions for data can be found in the "Technical" menu under "Security".
All access rights at model level including their associated group are listed here, as well as all access rights to the data sets of the respective model, including any defined groups. If no group is defined in the data set, this group is global and applies to all users.
Further access authorizations can also be defined and created in these two menus.
The settings of the rights in Odoo is a complex topic and can only be treated superficially here in this article. We ask you to note that a reconfiguration can have a significant impact on your database. Therefore, we strongly recommend that you contact one of our experts to ensure the correct configurations of any access rights in your company.
Sources: www.odoo.com, www.odootricks.tips