Some records in a model are only meant to be seen by some specific users under certain conditions.
We can restrict the records to be shown using record rules.
For example, A normal employee of a company can only see or make changes only on the data related to them, whereas employees such as managers can see or edit all the records. This can be done using record rules.
There are four modes of access in record rules: CREATE, READ, WRITE, and DELETE. CREATE access allows users to create new records, READ access allows users to view records, WRITE access allows users to modify records, and DELETE access allows users to delete records. By defining these modes of access in our record rules, we can control what users can do with the records in our model.
Let's take a closer look at the XML code for creating a record rule in Odoo 16. Here's an example:
<record id="demo_record_user_rule" model="ir.rule">
<field name="name">User can only see their own records</field>
<field ref="module.model_name" name="model_id"/>
<field name="domain_force">[('user_id', '=', self.uid)]</field>
<field name="groups" eval="[(4, ref('base.group_user'))]"/>
<field name="perm_read" eval="True"/>
<field name="perm_write" eval="False"/>
<field name="perm_create" eval="False"/>
<field name="perm_unlink" eval="False"/>
<field name="active" eval="False"/>
</record>
In this example, we're creating a record rule with the ID "demo_record_user_rule". The "name" field is a human-readable description of the rule. The "model_id" field specifies the model to which this rule applies. In this case, we're referencing the "model_name" model.
The "domain_force" field is where we define the conditions for the record rule. In this example, we're using the "user_id" field to restrict access to records based on the current user's ID. By setting the domain to "[('user_id', '=', self.uid)]", we're saying that users can only see records where the "user_id" field matches their own ID.
The "groups" field is where we specify the user groups that are allowed to access this record rule. In this example, we're allowing users who belong to the "base.group_user" group to access the rule.
The "perm_read", "perm_write", "perm_create", and "perm_unlink" fields are where we specify the modes of access for the record rule. In this example, we're allowing users to read records but not create, write, or delete them.
Finally, the "active" field specifies whether the rule is active or not. If this field is set to "False", the rule will not be applied.
Once we've defined our record rule in XML, we need to add it to the security folder in our Odoo module. The record rule will then be visible in the Record Rules menu under Security in Odoo.
The rule we created can be seen under the record rules menu under security.
Here’s the list view record rules.
And we can also create directly from here.
In conclusion, record rules in Odoo 16 are a powerful tool for managing access to data in our applications. By defining rules that restrict access to specific records based on the user's group, we can ensure that sensitive information is only available to those who need it. With the ability to control modes of access like create, read, write, and delete, we can give users the ability to work with records while still maintaining the security of our data. By using record rules effectively, we can create a more secure and efficient application for our users.