Configuring access control security
Odoo includes built-in access control mechanisms. A user will only be able to use the features he was granted access to. This means that the Library features we created are not accessible by users. The admin user can because it is a special case; the access control mechanisms don't apply to it.
The access control is based on Groups. A security Group is given access to Models, and this will determine the menu items available to the users belonging to that Group. For more fine-grained control, we can also give access to specific Menu Items, Views, Fields, and even data records (with Record Rules).
The security Groups are also organized around apps, and usually each app provides at least two Groups: User, capable of performing the daily tasks, and Manager, able to perform all configurations for that app.
We cover this topic in more detail in Chapter 5, Import, Export, and Module Data, but will give a short introduction to it here, so that our users can use the Library app.
Let's create a new security Group. In the Settings top menu, navigate to Users & Companies | Groups. Create a new record using the following values:
- Application: Type Library, and select the Create "Library" option in the popup
- Name: User
- Inherited tab: Add the item Employees / Employee:
The Library app is not available yet in the Application selection list, so we added it directly from the Group form.
We also made it "inherit" the Employee Group. This means that members of this Group will also be made members of the inherited Groups (recursively), effectively having the permissions granted to all of them. Employee is the basic access Group, and app security Groups usually inherit it.
Now we can grant access to specific Models to the Library / User Group. We can use the Access Rights tab of the Groups form for this. Add an item there, using these values:
- Object: select Library Book from the list
- Read, Write, Create and Delete Access: Checked
- Name: Library Book User Access
The Name attribute is just informative but is mandatory. The Model access can also be managed from the Technical | Security | Access Control List menu item.
We don't need to add access to the Partner model because we inherit the Employees Group that already has access to it.
We can now try this new security group on a user. If you are using an Odoo instance with demo data installed, you should have the Demo User that we can use for this. If not, no problem, you can create or use an existing user. The point here is to not use the admin user, since it has special security privileges and bypasses access control.
Select the Users & Companies | Users menu item and edit the Demo User form:
In the Access Rights tab, in Application Accesses section, we should see a Library option, where we can select the User security group. Select it, save, log out from the Administrator account, and log in with the demo user (the default password is demo).
If everything was done correctly, you should be able to see the Library top menu, and use it to add books and authors.