Security Mechanism(How secure Odoo is?)
Security mechanisms are associated with groups. Groups consist of users. A user can belong to any number of groups. Each user has some access rights/permissions to each model. It is managed by module_name/security/ir.model.access.csv file, defines access control to a whole model. Odoo provides following several security mechanisms concerning user roles.
1. Access Control:
It is managed by the ir.model.access records, defines access to a whole model. If a user belongs to one group has the access right to write and the user belongs to another group has the right to update. Then the same user can do the both. Suppose if the user does not belongs to any group then access rights applies to all users.
Here are some steps:
- Step 1: Create a security folder in your module.
- Step 2: Create ir.model.access.csv file in your folder.
- Step 3: In the __manifest__.py
- Step 4: In the ir.model.access.csv file.
id = unique identity for the permission (Here eg:access_hr_employee_user_feed)
- name = unique name for the permission (Here eg: hr.feed user)
- model_id = the model unique name of the class you want apply permission on (Example: model_hr_feed, *model name must given with underscore
- group_id/id = Permission apply on group(Example: hr.group_hr_user
- Where hr = module name, group_hr_user = group id
- perm_read,perm_write,perm_create,perm_unlink = the 4 values for the relative permission to read, write,create,unlink record on defined class. 1 is True and 0 is False.
Record rules are certain conditions that the records must satisfy for the operations such as create, read, update or delete to be allowed. It is applied, record-by-record after the access control has been applied.
Go through : Settings -> Security -> Record Rules
A record rule has:
- A model on which it applies
- A set of user groups (no group means global rule)
- A set of permissions to which it applies (e.g. if perm_read is set, the rule will only be checked when reading a record)
- A domain for filtering data
If filter matches: It is accessible
If filter does not matches: It is not accessible
Global rules and group rules are used quite differently:
- Global rules are subtractive, they must all be matched for a record to be accessible
- Group rules are additive, if any of them matches (and all global rules match) then the record is accessible.
3. Field Access:
An ORM field can have a groups attribute providing a list of groups.If the current user is not in one of the listed groups, he will not have access to the field.
4. Workflow Transitions Rules:
Workflow transitions can be restricted to some specific groups.
Go through : Settings -> Workflow -> Transitions
A Transition has :
- Source Activity: Which define starting state of transition(eg. purchase)
- Destination Activity: Which define ending state of transition(eg: cash_payment)
- Signal(Button Name): Which define activity name(eg: purchase_submit)
- Condition: Which is used to check if workflow instance progresses through the transition or not (eg:True)
- Group Required: Which define group to give access (eg: Employees/ Employee)