Access rights are fundamental permissions that govern which content and applications users can access, view, and modify within Odoo. These permissions are crucial for maintaining data integrity and operational security, as they can be precisely configured for individual users or collectively for groups of users. By limiting permissions to only those who strictly require them, organizations can effectively prevent unauthorized modifications or deletions of sensitive data.

It is important to note that only an authorized administrator possesses the capability to alter access rights within the Odoo environment.

Danger: Exercise Caution with Access Rights

Making modifications to access rights carries significant potential risks and can have a detrimental impact on your Odoo database. This includes the risk of creating an impotent admin scenario, where no user in the database retains the ability to make further changes to access rights. For these critical reasons, Odoo strongly recommends consulting with an Odoo Business Analyst or contacting our Support Team before implementing any changes to access rights configurations.

Tip: Administrator Access for Permissions Management

To successfully modify another user’s access rights settings, a user must have specific Administration access rights enabled on their own user profile. To enable this setting, navigate to the user's profile within Odoo. Once on the profile, an already existing administrator must change the setting in the Administration field to Access Rights. After making this crucial change, remember to click Save to apply the updates and designate the user as an administrator with the authority to manage other users' permissions.

Managing Individual User Access Rights

Access rights for individual users are typically established when a user is initially added to the Odoo database. However, these permissions are not static and can be adjusted at any time through the user’s dedicated profile. To modify a user’s access rights, an administrator should navigate to Settings > Users & Companies > Users and then click on the desired user to edit their profile.

Users menu in the Users & Companies section of the Settings app of Odoo.

On the user’s profile page, within the Access Rights tab, scroll down to review the current permissions assigned to that user.

For each installed application, a dropdown menu is available, allowing administrators to select the appropriate level of permission for the user. While the available options may vary depending on the specific application, the most common choices typically include: Blank/None (no access), User: Own Documents (access only to documents created by the user), User: All Documents (access to all documents within the application), or Administrator (full administrative access for that application).

The Administration field, also located within the Access Rights tab, offers distinct options: Settings or Access Rights. Selecting Access Rights here grants the user permission to manage other users' access rights.

The Sales apps drop-down menu to set the user's level of permissions.

Creating and Modifying Access Groups

Groups are powerful, app-specific sets of permissions designed to streamline the management of common access rights for a large number of users. Administrators have the flexibility to either modify existing groups within Odoo or to create entirely new ones, enabling them to define precise rules for models within a specific application.

To access and manage groups, it is first necessary to activate Odoo’s developer mode. Once activated, navigate to Settings > Users & Companies > Groups.

Groups menu in the Users & Companies section of the Settings app of Odoo.

To create a new group from the Groups page, simply click the Create button. A blank group form will appear, where you can select an Application and proceed to complete the detailed group form (as outlined below). To modify an existing group, click on its name from the list displayed on the Groups page, and then edit the contents of the form.

Begin by entering a descriptive Name for the group. If this group is intended to define access rights for sharing data with other users, ensure to tick the checkbox next to Share Group.

Important: Always Test Changes

It is critically important to thoroughly test any access right settings that have been changed or newly configured. This ensures that the permissions are being applied correctly and to the intended users, preventing unintended access or restrictions.

The group form is organized into multiple tabs, each dedicated to managing different elements of the group’s configuration. Within each tab, you can click Add a line to introduce a new row for users or rules, and click the ❌ (remove) icon to delete an existing row.

Tabs in the Groups form to modify the settings of the group.

  • Users tab: This tab provides a comprehensive list of the current users who are members of this group. Users displayed in black text typically possess administrative rights, while those in blue text do not. To add new users to this group, simply click Add a line.
  • Inherited tab: The concept of "Inherited" groups means that any user added to the current group will automatically gain membership in all groups listed on this tab. To include additional inherited groups, click Add a line.

    Example: Understanding Inherited Group Permissions

    For instance, if the Sales/Administrator group includes the Website/Restricted Editor group in its Inherited tab, then any user assigned to the Sales/Administrator group will automatically be granted access corresponding to the Website/Restricted Editor group’s permissions as well. This streamlines permission assignment for complex roles.

  • Menus tab: This tab explicitly defines which models and corresponding menus the group members are permitted to access within Odoo. To grant access to a specific menu, click Add a line and select the desired menu.
  • Views tab: Here, you can specify which particular views within Odoo the group has access to. To add a view to the group’s permissions, click Add a line.
  • Access Rights tab: This tab details the first level of rights, focusing on the models that this group has permissions over. The Name column allows for a descriptive name for the group’s access to the model selected in the Model column. To link a new access right to a group, click Add a line. Select the appropriate model from the Model dropdown, then enter a clear name for the access right in the Name column. For each model, you can enable the following granular options as appropriate:
    • Read: Users have the ability to view the existing data and values of the object.
    • Write: Users are authorized to modify or update the existing data and values of the object.
    • Create: Users can generate and add new entries or values for the object.
    • Delete: Users have the permission to remove or delete existing data and values associated with the object.

    Tip: Naming Conventions for Access Rights

    While there are no strict conventions enforced for naming access rights, it is highly recommended to choose a name that clearly and easily identifies its specific purpose and scope. For example, the access given to purchase managers for the Contact model could be aptly named res.partner.purchase.manager. This structure typically consists of the technical name of the model, followed by a descriptive name identifying the group of users in question.

    Name of access rights to a model

    To identify a model’s technical name directly from the current view, you can first enter placeholder text in the Name field, then click on the Model name, and finally, select the (Internal link) icon to reveal the technical name.

  • Record Rules: Record rules introduce a second, more granular layer of editing and visibility rights. These rules function to either overwrite or further refine the general access rights defined for the group. To incorporate a record rule into this group, click Add a line. For each rule, carefully choose values for the following options:
    • Apply for Read: Determines if this specific rule will apply when users attempt to view records.
    • Apply for Write: Determines if this specific rule will apply when users attempt to modify records.
    • Apply for Create: Determines if this specific rule will apply when users attempt to create new records.
    • Apply for Delete: Determines if this specific rule will apply when users attempt to delete records.

    Important: Understanding Domain Expressions in Record Rules

    Record rules are constructed using a domain, which consists of conditions that effectively filter data. A domain expression is a list of such conditions, allowing for highly specific filtering. For instance, the expression: [('mrp_production_ids', 'in', user.partner_id.commercial_partner_id.production_ids.ids)] is a record rule designed to enable MRP consumption warnings specifically for subcontractors. Odoo provides a comprehensive library of preconfigured record rules for ease of use. However, users who lack familiarity with domains and domain expressions are strongly advised to consult an Odoo Business Analyst or the Odoo Support Team before attempting to make any changes to these advanced settings.

Understanding and Using Superuser Mode

Superuser mode is a powerful feature that grants the user the ability to completely bypass all configured record rules and access rights within Odoo, providing unrestricted access to the system. To activate Superuser mode, you must first ensure that developer mode is enabled. Subsequently, navigate to the debug menu, which is distinctly represented by a ???? (bug) icon, prominently located in the top banner of the Odoo interface. Finally, towards the bottom of the debug menu, select and click on Become Superuser.

Important: Superuser Mode Access Requirements

Access to Superuser mode is restricted. Only users whose profiles have Settings access enabled for the Administration section within their Access Rights are permitted to log in or activate Superuser mode.

Danger: Extreme Caution with Superuser Mode

Superuser mode allows for the complete circumvention of all record rules and access rights, and as such, its use should be exercised with extreme caution and only when absolutely necessary. There is a significant risk that upon exiting Superuser mode, users may find themselves locked out of the database due to critical changes made while in this privileged state. This can lead to an impotent admin situation, where an administrator loses the ability to modify access rights or settings. In such an unfortunate event, it is imperative to contact Odoo Support immediately by submitting a new help ticket. The Odoo support team is equipped to restore access using a dedicated support login.

To gracefully leave Superuser mode, simply log out of the current account. Navigate to the upper-right corner of the interface, click on the OdooBot username, and then select the Log out option.

Tip: Alternative Superuser Login

An alternative method to activate Superuser mode is to log in directly as a superuser from the initial login screen. To do this, navigate to the Odoo login screen and enter the appropriate Email and Password for an authorized user. Instead of clicking the standard Login button, click on Log in as superuser.

War diese Antwort hilfreich? 0 Benutzer fanden dies hilfreich (0 Stimmen)

Populärste

How to Setup Email Accounts in cPanel

Setting Up Email Accounts in cPanelThis guide will walk you through the process of creating and...
Understand Workflow Triggers

Understanding Workflow Triggers for Metanow CRM Integrations Workflow triggers in Metanow CRM are...
ModSecurity® 3

ModSecurity® 3 - Metanow CRM ModSecurity® 3 Overview ModSecurity...
The Ultimate Guide to Voicemail: Everything You Need to Know

The Ultimate Guide to Voicemail: Everything You Need to Know Understanding Voicemail: A Brief...
Gain Insights into Every Association | Features

Gain Comprehensive Insights into Every Association | Metanow CRM Features Association Deep...