swethaNov. 27, 2017
Security mechanisms associates with groups and the groups consist of users. A user can belong to any number of groups. Moreover each user has some access rights/permissions to each model. It is managed by module_name/security/ir.model.access.csv file, defines access control to a whole model. Security mechanism in Odoo provides concerning user roles. we can hide fields or menus for some users and show them for others, make fields read-only for some users and make them editable for others. We use groups to control users.
It is managed by the ir.model.access records, defines access to a whole model. If a user belongs to one group has the access right to write and the user belongs to another group has the right to update. Then the same user can do the both. Suppose if the user does not belongs to any group then access rights applies to all users.
Record rules are certain conditions that the records must satisfy for the operations, for example, create, read, update or delete to be allowed. It is applied, record-by-record after the access control has been applied.
If filter matches: It is accessible
If filter does not matches: It is not accessible
An ORM field can have a groups attribute providing a list of groups. However, if the current user is not in one of the listed groups, he will not have access to the field.
There is restriction for Workflow transitions to some specific groups.
In short, hope you understood how security mechanism in Odoo works..