Record rules are essential for managing access control, allowing you to define who can view, create, or modify specific records within the system based on user roles. For instance, a regular employee in a company can only view or modify data that is directly related to them, while managers have access to view and edit all records. This level of access control is achieved through record rules.
Record rules provide four modes of access: CREATE, READ, WRITE, and DELETE. CREATE grants the ability to add new records, READ allows users to view records, WRITE enables record modification, and DELETE permits record removal. By specifying these access modes in record rules, we can control user actions on records within a model.
We can see the example of creating the record rule.
<?xml version="1.0" encoding="UTF-8"?>
<odoo noupdate="1">
<record id="custom_record_rule" model="ir.rule">
<field name="name">User can only see their own records</field>
<field ref="sale.model_sale_order" name="model_id"/>
<field name="domain_force">[('create_uid', '=', user.id)]</field>
<field name="groups" eval="[(4, ref('base.group_user'))]"/>
<field name="perm_read" eval="True"/>
<field name="perm_write" eval="False"/>
<field name="perm_create" eval="False"/>
<field name="perm_unlink" eval="False"/>
<field name="active" eval="False"/>
</record>
</odoo>
In this example, we are defining a record rule with the ID custom_record_rule. The name field provides a readable description of the rule, while the model_id field identifies the specific model it applies to. Here, the rule is being applied to the sale_order model.
The domain_force field defines the conditions for the record rule. By setting the domain to [('create_uid', '=', user.id)], we ensure that users can only access records created by them.
The groups field determines which user groups have access to the record rule. In this example, users in the base.group_user group are granted access. The perm_read, perm_write, perm_create, and perm_unlink fields define the allowed actions for the record. Here, users can only read records, but cannot create, modify, or delete them. Lastly, the active field indicates whether the rule is enabled, if set to False, the rule will not be enforced.
After defining the record rule, we can add this file inside the security folder in our module and add this in the manifest file.
The created rule can be seen from settings -> Technical -> Record rules.
Then, we can see the record rule we created listed in this tree view.
Also, we can create record rules directly from here by clicking on the New button.
In conclusion, record rules in Odoo offer an effective mechanism for managing data access by controlling what users can view, edit, or delete within the system. By setting up rules based on roles and conditions, businesses can ensure that sensitive information is protected while allowing the right level of access to specific users.
To read more about How to Create Record Rules in Odoo 17, refer to our blog How to Create Record Rules in Odoo 17.