support Click to see our new support page.

Security Mechanism In Odoo

blog_img_44
Author

swethaNov. 27, 2017

How secure Odoo is?

Security mechanisms associates with groups and the groups consist of users. A user can belong to any number of groups. Moreover each user has some access rights/permissions to each model. It is managed by module_name/security/ir.model.access.csv file, defines access control to a whole model. Security mechanism in Odoo provides concerning user roles.  we can hide fields or menus for some users and show them for others, make fields read-only for some users and make them editable for others. We use groups to control users. 

1. Access Control:

It is managed by the ir.model.access records, defines access to a whole model. If a user belongs to one group has the access right to write and the user belongs to another group has the right to update. Then the same user can do the both. Suppose if the user does not belongs to any group then access rights applies to all users.

Here are some steps:

    • Step 1: Create a security folder in your module.
    • Step 2: Create ir.model.access.csv  file in your folder.
    • Step3: In the __manifest__.py

Steps for Access Control in Security Mechanism In Odoo

  • Step 4: In the  ir.model.access.csv file.

4th step for the Access Control

  • id = unique identity for the permission (Here eg:access_hr_employee_user_feed)
    • name = unique name for the permission (Here eg: hr.feed user)
    • model_id = the model unique name of the class you want apply permission on (Example: model_hr_feed, *model name must given with underscore
    • group_id/id = Permission apply on group(Example: hr.group_hr_user
    • Where hr = module name, group_hr_user = group id
    • perm_read,perm_write,perm_create,perm_unlink = the 4 values for the relative permission to read, write,create,unlink record on defined class. 1 is True and 0 is False.

2. Record rules:

Record rules are certain conditions that the records must satisfy for the operations, for example, create, read, update or delete to be allowed. It is applied, record-by-record after the access control has been applied.

After that, Go through : Settings -> Security -> Record Rules

A record rule has:
    • A model on which it applies
    • A set of user groups (no group means global rule)
    • A set of permissions to which it applies (e.g. if perm_read is set, the rule will only check when reading a record)
    • A domain for filtering data

    If filter matches: It is accessible

    If filter does not matches: It  is not accessible

    Difference in the usage of Global rules and group rules:
    • Firstly, global rules are subtractive, they must all be matches for a record to be accessible
    • Secondly, group rules are additive, if any of them matches (and all global rules match) then the record is accessible.

Global rules and group rules for the Security Mechanism In Odoo

3. Field Access:

An ORM field can have a groups attribute providing a list of groups. However, if the current user is not in one of the listed groups, he will not have access to the field.

An ORM field can have a groups attribute providing a list of groups

4. Workflow Transitions Rules:

There is restriction for Workflow transitions to some specific groups.

Workflow Transitions Rules for the Security Mechanism In Odoo

  • Go through : Settings -> Workflow -> Transitions

    A Transition has :
    • Source Activity: Which define starting state of transition(eg. purchase)
    • Destination Activity: Which define ending state of transition(eg: cash_payment)
    • Signal(Button Name): Which define activity name(eg: purchase_submit)
    • Condition: It is uses to check if workflow instance progresses through the transition or not (eg:True)
    • Group Required: Which define group to give access (eg: Employees/ Employee)

In short, hope you understood how security mechanism in Odoo works..

Odoo_ERP_Services

LinkedIn LinkedIn