Creating security groups in Odoo

1. Introduction

Security groups are one of the most used principles in Odoo. By creating security groups you can define which users should be able to see and access what values. Security groups allow you to deny permissions models, to hide menus or to hide fields on views. In this tutorial we will create a security group, configure it to automatically add some users and we will see how to hide or show menu's for specific users within a group.

2. Creating the model

The first thing to do is to create a model. If you already have an existing model you can skip this chapter and continue with chapter 3. Still reading? Alright, let us create a new model. In this tutorial I will create a new model named 'demo.access.right', with just one simple field. Create a new Python file under the 'models' directory and create a new model with a field:

                    # -*- coding: utf-8 -*-from odoo import models, fields, apiclass DemoAccessRight(models.Model):    _name = 'demo.access.right'    name = fields.Char(string='Name', required=True)                                    

We will use this model later on in this tutorial to show you how you can limit access on menuitems depending on the security group the user is in.

3. Creating the security groups

Alright, now that we have a model, the next thing to do is to create the security groups with the specific rights that you would like to give to this group.First of all open up the ir.model.access.csv file (under security/) and look at the top of the file. When you look at this file you'll see that there are a few columns. Let me explain them a bit into detail:

• Id: An unique identifier for the record (they should always be unique!).
• Name: This is the description that is shown in the front-end and is the name for the security group
• model_id:id: The name of the model where you want to create a security rule for. Replace the '.' by an '_'. If you have a model named 'this.model' it should become 'this_model' and it should always be prefixed with model_. So this would become 'model_this_model' in my example.
• group_id:id: an unique ID for the group.
• perm_read: If this is set to 1 it means that all users that are in this group have read access on this model. If it is set to 0 it means that the users don't have read rights.
• perm_write: If this is set to 1 it means that all users that are in this group have write access on this model. If it is set to 0 it means that the users don't have write rights.
• perm_create: If this is set to 1 it means that all users that are in this group have create access on this model. If it is set to 0 it means that the users don't have create rights.
• perm_unlink: If this is set to 1 it means that all users that are in this group have delete access on this model. If it is set to 0 it means that the users don't have delete rights.

Let us start writing security groups. In my example I will create two groups: one with full rights for reading, writing, creating and deleting (admin behaviour) and one group that can only read records. Let me show you the result and I will then explain it further!

                    id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink--ENTER--demo_admin,Model admin access,model_demo_access_right,tutorial_create_security_groups.group_manager,1,1,1,1--ENTER--demo_user,Model user access,model_demo_access_right,tutorial_create_security_groups.group_user,1,0,0,0                                    

Look at those two rules for a minute and try to figure out what they do.I've created two lines, which means two groups, that are both for the model 'demo.access.right', where the first group has all rights on the model and the second group can only read data (look at the 1,1,1,1 and the 1,0,0,0).Do you notice something else? There is a group_id in the field named  'tutorial_create_security_groups.group_manager' on the first line and 'tutorial_create_security_groups.group_user' on the second line. What do these two mean? Well, the first part ('tutorial_create_security_groups') is the name of the module where you are creating groups for. The second part, 'group_manager' will link to an XML record in which we specify the rest of the details. Add those lines to your CSV file, save it and then close it.

4. Creating the groups and selection in XML

Now that you've written the groups in the CSV we have the rules but in the CSV file they link to 'group_manager' and 'group_user', which we still haven't made anywhere. So let us make them! Create a new XML file under the 'security' folder so that we can write the XML code. In this tutorial I'll name the file 'user_groups.xml'. We now need three things:

• A group named 'group_user'.
• A group named 'group_manager'.
• A record that will link these two groups in a dropdown, in order to show it on the user form.

Let's start by writing a record that will show our both groups in a dropdown:

                                                                        <record model="ir.module.category" id="module_management">                                <field name="name">Demo module access</field>                                <field name="description">User access level for this module</field>                                <field name="sequence">1</field>                            </record>                                                            

This will create an option in the user his form that has the label 'Demo module access' and a description 'User access level for this module'. The sequence can be used to specify where it should come in the view. One down, two to go. We now need to create two group records ('group_user' and 'group_manager') so that the CSV can find and use these groups. The code should look like this:

                                                                        <record id="group_user" model="res.groups">                                <field name="name">User</field>                                <field name="category_id" ref="tutorial_create_security_groups.module_management"></field>                            </record>                            --ENTER--                            <record id="group_manager" model="res.groups">                                <field name="name">Manager</field>                                <field name="implied_ids" eval="[(4, ref('tutorial_create_security_groups.group_user'))]"></field>                                <field name="users" eval="[(4, ref('base.user_root')), (4, ref('base.user_admin'))]"></field>                                <field name="category_id" ref="tutorial_create_security_groups.module_management"></field>                            </record>                                                            

Let me explain the code a bit more. The 'name' field will be the text that is shown to the user in the front-end.By setting the 'users' field (which links to another group user) you can say that by default users that belong to the other group should be added to this specific group. For example: with users set to 'base.user_root' I will by default enable this value for the user. By setting the field 'implied_ids' on the 'group_manager' I'm saying that if the user has the manager rights that he should also have rights as a user (ref('tutorial_create_security_groups.group_user') does this).

That is all! You've just created your own security groups and made them available on the user his form so that you can configure this for every user on his own.

5. Applying groups to menus

So what if you have a menuitem that you do not want to show to the user group but only to the manager group? Or the other way around? You can easily solve this by adding the "groups=" attribute on the menuitem. By setting a group on the menuitem Odoo will automatically remove - or show - the menuitem. Let us first create a parent menuitem:

                                                                        <menuitem id="main_access_rights_menu" name="Access rights demo"/>                                                            

Now let us create a child menuitem that is only visible for the user group:

                                                                        <menuitem id="menu_detail_access_admin_rights"                            groups="tutorial_create_security_groups.group_manager"                            action="access_rights_admin_action"                            parent="main_access_rights_menu">                                                            

And last but not least a menuitem that is only visible for the manager group:

                                                                        <menuitem id="menu_detail_access_user_rights"                                      groups="tutorial_create_security_groups.group_user"                                      action="access_rights_user_action"                                      parent="main_access_rights_menu">                                                            

By simply adding the 'groups=' tag on the menuitems we can specify which group can access which menuitem! It is as simple as that. When you would now create a new user with the 'User' rights he would only see the menuitem for the user and not the admin menu.

6. Conclusion

The security groups and security rules are not very hard to set-up but allow you a very broad range of configuration. You can specify what a user can see just by in which groups or security rules the user is in. This allows you to show or hide menuitems, fields and options with very little effort. The possibilities are endless! Take some time to fully understand security groups and to get familiar with them, you'll need them quite often probably.