Security mechanisms associates with groups. Groups consist of users. A user can belong to any number of groups. Each user has some access rights/permissions to each model. It is managed by module_name/security/ir.model.access.csv file, defines access control to a whole model. Security mechanism in Odoo provides concerning user roles.
1. Access Control:
It is managed by the ir.model.access records, defines access to a whole model. If a user belongs to one group has the access right to write and the user belongs to another group has the right to update. Then the same user can do the both. Suppose if the user does not belongs to any group then access rights applies to all users.
Here are some steps:
Step 1: Create a security folder in your module.
Step 2: Create ir.model.access.csv file in your folder.
Step3: In the __manifest__.py
Step 4: In the ir.model.access.csv file.
id = unique identity for the permission (Here eg:access_hr_employee_user_feed)
name = unique name for the permission (Here eg: hr.feed user)
model_id = the model unique name of the class you want apply permission on (Example: model_hr_feed, *model name must given with underscore
group_id/id = Permission apply on group(Example: hr.group_hr_user
Where hr = module name, group_hr_user = group id
perm_read,perm_write,perm_create,perm_unlink = the 4 values for the relative permission to read, write,create,unlink record on defined class. 1 is True and 0 is False.
Record rules are certain conditions that the records must satisfy for the operations such as create, read, update or delete to be allowed. It is applied, record-by-record after the access control has been applied.
Go through : Settings -> Security -> Record Rules
A record rule has:
A model on which it applies
A set of user groups (no group means global rule)
A set of permissions to which it applies (e.g. if perm_read is set, the rule will only check when reading a record)
A domain for filtering data
If filter matches: It is accessible
If filter does not matches: It is not accessible
Difference in the usage of Global rules and group rules:
Global rules are subtractive, they must all be matches for a record to be accessible
Group rules are additive, if any of them matches (and all global rules match) then the record is accessible.
3. Field Access:
An ORM field can have a groups attribute providing a list of groups. If the current user is not in one of the listed groups, he will not have access to the field.
4. Workflow Transitions Rules:
There is restriction for Workflow transitions to some specific groups.
Go through : Settings -> Workflow -> Transitions
A Transition has :
Source Activity: Which define starting state of transition(eg. purchase)
Destination Activity: Which define ending state of transition(eg: cash_payment)
Signal(Button Name): Which define activity name(eg: purchase_submit)
Condition: It is uses to check if workflow instance progresses through the transition or not (eg:True)
Group Required: Which define group to give access (eg: Employees/ Employee)