Odoo aims to consolidate in a single database all the business data: Sales, Purchase, Inventory, Staff, Accounting and so on. Inevitably the question is raised on how to segregate the access to these data. The software offers default configuration sets based on pre-defined access groups. However very often, they need to be modified.
In this blog, we're going to have an overview of the various mechanisms used in odoo to control data access, with a particular focus on those that can be configured through the user interface.
Access to data tables
In odoo, each model (example: a sales order, or a Purchase Order) is mapped to a data table. Access (Create, Write, Read, Delete) to a model, is defined by an access right. It is possible to customise the access rights from the menu: Settings > Technical > Security > Access Rights
Access to records
What-if you need to restrict a sales person to see other sales persons' quotation?
All sales person have access to the table "Sales Orders". What is needed is a rule to segregate access to records. This is called "Access Rules", and can be edited in the graphic interface from the menu: Settings > Technical > Security > Record Rules
What if you want the sales person to check the sales invoices, but you don't want them to see purchase bills ?
 You can give the "billing" access right to the sales persons. Consequently, they will be able to check all invoices.
 To prevent them from seeing the purchase invoices, you can restrict the access to the Accounting App to "Accountant" level. So a billing person will not be able to access the Accounting App.
 Finally duplicate the menu "Sales Invoice", and put the duplicate in the App "Sales". Consequently a sales person will be able to see all invoices, but not the vendor bills.
This is more technical. Odoo uses xml to generate the views. Modifications can be made by the inheritance mechanism (check the technical documentation for more details). Each modification is by itself a record, and the access to this record can be restricted.
Practical application: If you open the form view of a contact (base.view_partner_form), you will notice that the "Accounting" data is actually in another form (account.view_partner_property_form).
Therefore to make the information in this tab confidential, simply add an access restriction to this record.
Restricting access to fields is more complex. There is no way to do it through configuration. It has to be done through code, either in XML or in python. Consequently, we can consider this type of restriction as being hard coded. Hence it is in general not recommended to do so.
Restricting access to function in general must be done in python, so in code. However when the function is called by a button, and change the state of a record -e.g. confirming a sales order - it is possible through automated server actions to add restrictions based on access level. As automated server actions can be written from the graphic interface, this can be considered as a configuration (as opposed as a custom module).
A final word
Using the techniques above, it is possible to configure Odoo for most of cases. (Note that you will need to know how to write domains - Check the official documentation - )
In general, try to adjust the access rights / access rules / automated server actions / etc.. using the graphic interface, and avoid hard coding them as very likely they will have to be changed over time.
Any comment or questions, feel free to contact us.