Security is an important aspect of a company. So it is very important in ERP software. In Odoo, we can set groups, access rights, and rules for records. Here I am going to discuss record rules. To know more about security, you can refer our blog: Security in Odoo
Records rules for the objects can determine who can access the object according to rules set. One can manage rules based on access modes for the object. There are four access mode,
Create: To create records in the object
Write: Write access for records in the object(Edit)
Read: Read access for records in the object(View only)
Delete: Access to delete records in the object
Record rules are set in an XML file(security>>modulename_security.xml) Here we can consider an example from the module fleet. In the module fleet, only the driver(fleet user) can see his/her vehicle details.
<record id="fleet_rule_vehicle_visibility_user" model="ir.rule">
<field name="name">User can only see his/her vehicle</field>
<field name="model_id" ref="model_fleet_vehicle"/>
<field name="groups" eval="[(4, ref('fleet_group_user'))]"/>
<field name="perm_read" eval="True"/>
<field name="perm_write" eval="True"/>
<field name="perm_create" eval="False"/>
<field name="perm_unlink" eval="False"/>
<field name="domain_force">[('driver_id','=',user.partner_id.id)]</field>
</record>
Here we create a rule for the group fleet_group_user. To know more about groups, refer the blog: How to Create a Security Group in Odoo 13
<field name="model_id" ref="model_fleet_vehicle"/>
Since the model is fleet.vehicle, ref=”model_fleet_vehicle”.This rule is applicable to the group fleet_group_user. One can also define the rule for multiple groups. Then we move on to access permissions. In this rule, the driver has only permission to read and write. So we can set the permission as,
<field name="perm_read" eval="True"/>
<field name="perm_write" eval="True"/>
<field name="perm_create" eval="False"/>
<field name="perm_unlink" eval="False"/>
Since the user group(fleet_group_user) has no permission to create and delete both are set as False.Next we move on to domain_force,
<field name="domain_force">[('driver_id','=',user.partner_id.id)]</field>
It is the filter for the records where the rule applies.Here we filter applies as the rule definition, driver_id equal to the user’s partner_id.id. If rule has to apply for complete records, domain_force will be as follows,
<field name="domain_force">[(1,'=',1)]</field>
We can also filter the records with more than one condition,
<field name="domain_force">['|',('driver_id','=',user.partner_id.id),('company_id', 'in', company_ids)]</field>
Here we have also filtered with company_id. So the records will be filtered for the current chosen company where driver_id = user.partner_id. id.
This is how we can set record rules from the XML code. To view and create records rules from the front end, In debug mode Goto Settings ->Technical ->Record Rules,
Here we can see the complete list of record rules in the system.
The above picture shows the corresponding view of the record rule that we created from the XML code.
Record rules can also create from the front end,
Name: Name for the record rule
Object: Object to which rule has to apply(model)
Active: Only active rules are applied to the system
Access Rights: By default, all access is permitted.
Apply for Read: Uncheck if the user has no permission to read records
Apply for Write: Uncheck if the user has no permission to write records
Apply for Create: Uncheck if the user has no permission to create records
Apply forDelete: Uncheck if the user has no permission to delete records
Rule Definition(Domain filter): Define rule(conditions) to filter the records, Eg: [('driver_id','=',user.partner_id.id)]
Groups: Groups to which record rule has to apply. If no group then the rule applies globally.