This question has been flagged
1 Reply
7384 Views
securityfieldsusersgroupaccessrights
Avatar
Bienvenido Villabroza

I am using Odoo 13 and I need to set field level access rights on the object level.

I have a Driver group and a Car object.

The Car object has three attributes: door_number, tire_brand, and bank_id.
I need the following:

1) door_number to be read only

2) tire_brand to be read and write only

3) band_id to be inaccessible to the Driver group.


I know I can edit the view as seen here: https://www.odoo.com/forum/help-1/question/how-to-apply-field-level-access-rights-for-user-19481
This would make the appropriate changes on the view level but the object access rights will not be affected. That would be a security risk.

I also know that I can set the accessible fields on the model itself as seen here: https://www.odoo.com/documentation/13.0/reference/security.html#field-access

However, that would take away both the read and write access rights of all groups unstated in the groups attribute. That will make my previously stated "1) door_number to be read only" impossible to do.

Is there a way to achieve my needs using Odoo 13? I need field level access rights.


Avatar
Discard
Avatar
Ray Carnes (ray)
Best Answer

Did you try adding base.group_user to the groups attribute for each field that you want to be accessed by Internal Users (everyone)?

Every internal user is a member.

Then, set your read-only fields and add other groups where you only want specific groups to have access.

Avatar
Discard
Bienvenido Villabroza
Author

I have not tried doing that. I was not aware that was an option. Thank you for sharing. However, what do you mean by "set your read-only fields?" Do you mean set them from my views? I would like the field (not just the form) to be secure from unauthorized access.

Ray Carnes (ray)

I mean use the READONLY (or STATES) attribute at the field level.

Bienvenido Villabroza
Author

According to the documentation, "this only has an impact on the UI." https://www.odoo.com/documentation/13.0/reference/orm.html#fields

Is there a way of securing the system in the database level (not just the form level).

Ray Carnes (ray)

The documentation is meaning to convey that users have no way to set values for these fields directly (even by importing) but the API can still be used to give them a value - programatically. Odoo users don't have direct access to PostgreSQL. You only have to control database level access for users YOU give access to the database. If you mean the Odoo business object level, then GROUPS (which can be assigned at the field level) provide what you ask. See the "FIELD ACCESS" section of https://www.odoo.com/documentation/13.0/reference/security.html

Bienvenido Villabroza
Author

You said that "the API can still be used to give them a value - programatically." I thought anyone can access the API? Or do they have to be a PostgreSQL user?

Also, for the link you sent, the documentation says "attempts to (explicitly) read from or write to restricted fields results in an access error." I can't distinguish from read and write with the groups attribute. I need that distinction.