In the first step, we added groups="my_library.group_library_user" on the <header> tag. This means that the whole header part will only be visible to library users and librarians. Normal backend users who don't have group_library_user will not see the header part.

In step 2, we added the groups="my_library.group_library_librarian" attribute on menuitem. This means that this menu is only visible to librarian users.

You can use the groups attribute almost everywhere, including <field>, <notebook>, <group>, <menuitems>, or any tag from the view architecture. Odoo will hide those elements if the user doesn't have that group. You can use the same group attributes in web pages and QWeb reports, which will be covered in Chapter 13, Automation, Workflows, and Printouts, and Chapter 15, CMS Website Development.

As we saw in the Accessing recordsets as a superuser recipe of this chapter, we can hide fields from some users using the groups argument in the Python field definition. Note that there is a big difference between security groups on fields and Python security groups in views. Security groups in Python provide real security; unauthorized users can't even access the fields through ORM or through RPC calls. However, the groups in views are just for improving usability. Fields hidden through groups in the XML file are still accessible through RPC or ORM.