In this blog we will discuss about how you can manage users and access rights.
Users and user roles are critical points concerning internal security in Odoo. Odoo provides several security mechanisms concerning user roles, all implemented in the odoo Server. They are implemented at the lowest server level. Odoo distinguishes three different concepts:
- User : A person identified by its login and password. Note that all employees of a company are not necessarily odoo users, the user is somebody who accesses the application.
- Group : A group of users that has some access rights. A group gives its access rights to the users that belong to the group. Ex: Sales Manager, Advisor, etc.
- Security Rule : A rule that defines the access rights a given group grants to its users. Security rules are attached to a given resource, for example, the Invoice model.
Security rules are attached to groups. Users are assigned to several groups. This gives users the rights that are attached to their groups. Therefore controlling user roles is done by managing user groups and adding or modifying security rules attached to those groups.
Odoo defines a user as someone who has access to a database to perform daily tasks. You can add as many users as you need and, in order to restrict the type of information each user can access, rules can be applied. Users and access rights can be added and changed at any point.
Add User : If you want to add a new user then go to the settings > Users & Companies > Users.
It will list all the existing users in the database. If you want to create a new user then click on the “Create Button”. For reference you can see the screenshot below.
When you click on the create button, you can see the new window will open. For reference you can see the screenshot below.
To review Access Groups enable developer mode , navigate to Settings and select Users & Companies > Groups
By activating developer mode, there will be an option for selecting the type of user.
Here you can see there are three types of users.
Internal users can access the application, defining user access to each module.
Portal users are usually customers also we have portal access; They only get to see their documents.
Public users can access the website using a URL; limited access is available for this type of user.
Portal and public users do not allow you to choose access rights.
Now click on the preference tab. Under the Preferences tab, the language and the user’s time zone can be changed. All the currently functional languages will be listed in the language selection. For activating the new languages, go to Settings -> Translations -> Languages.
When you are done editing the page and have Saved it, an invitation email is automatically sent to the user. The user must click on it to accept the invitation and create a login.
Deactivate User : To deactivate the user, go to the setting > Users & Companies > Users. When you click like that you will be able to see all the listed users which are created. Select the user record that needs to be deactivated and click on the action Archive. For reference you can see the screenshot below.
Select Divya Vijay as highlighted above and then click on that.
When you click on the “archive” the message window will popup. For reference you can see the screenshot below.
If you want to, then click on the “OK” button else you can cancel it.
Password reset from the login page : If you want to reset the password from the login page, enable Password Reset permission in general settings.
Then go to the user’s window, select a user and click on the Send Password Reset Instructions button. An email will be sent to the user with a password reset link.
Change Password : If you want to change the password for a user then select the user for changing a user’s password, then click on action on “Change Password”.
When you click on the “Change Password” new window will popup where you have to enter a new password. For reference you can see the screenshot below.
Access Rights : Access rights are rules that define the access a user can have on a particular object . Those global rights are defined per document type or model. Rights follow the CRUD model: create, read (search), update (write), delete. For example, you can define rules on invoice creation. By default, adding a right to an object gives the right to all records of that specific object.
It is essential to have these rules to prevent confusion and ensure that the database is secure.
You can also set the custom access rights for new users from the general setting.
In the user’s form, we choose the group that defines the user access to specific applications. Let us know more about user groups.
When you click on the groups, you can see all the listed groups which are already created. You can choose from them or you can create a new one. At that moment I am selecting the highlighted group. For reference you can see the screenshot below.
Let’s check the Manufacturing/Administrator group. Users with administrative access rights are shown in the Users tab; you can also add a user to this group by clicking the add a line button; corresponding users’ access rights are updated on the user’s form. For reference you can see the screenshot below.
Inherited means that the users added in this group are also added to the groups listed in the Inherited tab. Whenever a user is added to the manufacturing/Administrator group, he will also get added to the manufacturing/User: All Documents group. It means that the user will also have the all-access rights of the manufacturing/User: All Documents group. For reference you can see the screenshot below.
The Menus tab is where you define which menus (models) the user can have access to.
Access Rights rules are the first level of rights. The field is composed of the object name, which is the technical name given to a model. For each model, enable the following options as appropriate:
Read : The values of that object can be only seen by the user.
Write : The values of that object can be edited by the user.
Create : The values for that object can be created by the user.
Delete : The values of that object can be deleted by the user.
Record Rules : When accessing an object, records are filtered based on record rules. Record rules or access filters are therefore filters that limit records of an object a group can access. A record rule is a condition that each record must satisfy to be created, read, updated (written) or deleted. Records that do not meet the constraints are filtered. For example, you can create a rule to limit a group in such a way that users of that group will see business opportunities in which he or she is flagged as the salesman. The rule can be salesman = connected_user. With that rule, only records respecting the rule will be displayed.
In the other words Record Rules are formed as a secondary layer of editing, which is used to overwrite or refine the rules. It’s written using the domain. A domain represents the list of conditions, which filter the record, and we can assign read, write, create and delete access on them.
I hope this information will help you to understand the workflow of users and access rights and through this you will also understand how you can manage users and access rights in Odoo V15.