« Back to Blogs

Security Mechanism in Odoo v9

Users and users’ roles are critical points concerning internal security in Odoo. Odoo provides following several security mechanisms concerning user roles.

1.Access Control:

In Odoo with module, menu/view is not displayed proper or restricted when accessing by other user due to access rights/permissions. It is managed by module_name/security/ir.model.access.csv file,defines access control to a whole model.

Through this we can

  • Grant permissions like create,read,write(edit/update),delete to model

  • Define group to a model(optional)

    • If no group: access rights applies to all users

    • If group:  access rights applies to member of that group

Access controls are additive, for example if the user belongs to one group which allows writing and another which allows deleting, they can both write and delete.

Here is the steps with explanation to define ir.model.access.csv file for custom model.

Step 1 : Create Security folder in your custom module.



Step 2 : Make ir.model.access.csv file in Security folder.


Step3 : Edit in __openerp__.py         

'data': [




Step4 : Write following code in your ir.model.access.csv






Defining Access Rights ( ir.model.access.csv )

  • id = unique identity for the permission (Example:access_blog_post_user)

  • name = unique name for the permission (Example:blog.post.user)

  • model_id/id = the model unique name of the class you want apply permission on (Example: model_blog_post)

  • group_id/id = Permission apply on group(Example: Blog.group_blog_user)

    • Where Blog:module name  , group_blog_user :group id

  • perm_read,perm_write,perm_create,perm_unlink = the 4 values for the relative permission to read, write,create,unlink record on defined class. 1 is True and 0 is False

2.Record Rules:

Record rules are conditions that records must satisfy for an operation (create, read, update or delete) to be allowed. It is applied record-by-record after access control has been applied.

Go through : Settings -> Security -> Record Rules

A record rule has:

  • A model on which it applies

  • A set of permissions to which it applies (e.g. if perm_read is set, the rule will only be checked when reading a record)

  • A set of user groups (no group means global rule)

  • A domain for filtering data

    • If filter matches: It is accessible

    • If filter does not matches: It  is not accessible

Record Rules   Personal Orders   Odoo22.png


3.Field Access:

An ORM field can have a groups attribute providing a list of groups.If the current user is not in one of the listed groups, he will not have access to the field:

Applies most to all tags in xml:(For Example)


<field name="company_id" groups="base.group_multi_company"/>



<button name="submit_hr"  string="Submit to HR" class="oe_highlight"



4.Workflow Transition Rules:

Workflow transitions can be restricted to a specific group. Users outside the group can not trigger the transition.

1)Go through : Settings -> Workflow -> Transitions

A Transition has :

  • Source Activity : which define starting state of transition(eg. draft)

  • Destination Activity: which define ending state of transition(eg: waiting)

  • Signal(Button Name): which define activity name(eg: submit_hr)

  • Condition: which is used to check if workflow instance progresses through the transition or not (eg:True)

  • Group Required :which define group to give access (eg: Human Resource / Employee)


Transitions   submit_hr   Odoo.png


2)We can define group to transition from xml side also.

For example:

<record id="trans_draft_router" model="workflow.transition">

  <field name="act_from" ref="act_draft"/>

  <field name="act_to" ref="act_router"/>

  <field name="signal">order_confirm</field>

  <field name="condition">True</field>

  <field name="group_id" ref=”base.group_sale_customer”/>


contact-us Request a callback WhatsApp