How it works...

Security Access-Control Lists are stored in the core ir.model.access model. We just need to add the records that describe the intended access rights for each user group.

Any type of data file would do, but the common practice is to use a CSV file. The file can be placed anywhere inside the add-on module directory, but the convention is to have all the security-related files inside a security subdirectory.

The first step in our recipe adds this new data file to the manifest. The second step adds the files that describe the security access-control rules. The CSV file must be named after the model where the records will be loaded, so the name used is not just a convention and is mandatory; refer to Chapter 7, Module Data, for details.

If the module also creates new security groups, its data file should be declared in the manifest before the ACLs' data files, since you may want to use them for the ACLs. They must already be created when the ACL file is processed.

The columns in the CSV file are as follows:

  • id: This is the XML ID internal identifier for this rule. Any unique name inside the module will do, but the convention is to use access_<model>_<group>.
  • name: This is a title for the access rule. It is a common practice to use a access.<model>.<group> name.
  • model_id:id: This is the XML ID for the model. Odoo automatically assigns this kind of ID to models with a model_<name> format, using the model's _name with underscores instead of dots. If the model was created in a different add-on module, a fully-qualified XML ID that includes the module name is needed.
  • group_id:id: This is the XML ID for the user group. If left empty, it applies to all users. The base module provides some basic groups, such as base.group_user for all employees and base.group_system for the administration user. Other apps can add their own user groups.
  • perm_read: Members of the preceding group can read the model records. It accepts two values: 0 or 1. Use 0 to restrict the read access on the model and 1 to provide read access.
  • perm_write: Members of the preceding group can update the model records. It accepts two values: 0 or 1. Use 0 to restrict write access on the model and 1 to provide write access.
  • perm_create: Members of the preceding group can add new records of this model. It accepts two values: 0 or 1. Use 0 to restrict create access on the model and 1 to provide create access.
  • perm_unlink: Members of the preceding group can delete records of this model. It accepts two values: 0 or 1. Use 0 to restrict unlink access on the model and 1 to provide unlink access.

The CSV file we used adds read-only access to the Employees|Employee standard security group and full write access to the Administration|Settings group.

The Employee user group, base.group_user, is particularly important because the user groups that are added by the Odoo standard apps inherit from it. This means that if we need a new model to be accessible by all the backend users, regardless of the specific apps they work with, we should add that permission to the Employee group.

The resulting ACLs can be viewed from the GUI in debug mode by navigating to Settings|Technical|Security|Access Controls List, as shown in the following screenshot:

Some people find it easier to use this user interface to define ACLs and then use the export feature to produce a CSV file.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset