Hello. I am running Odoo 10 CE. I have a user configured to be allowed access only to sales related documents -- for use by a sales person. The sales person should not have access to anything under Purchases. Under Access Rights, the user has only been added to three security groups: Sales - User: All Documents, Accounting & Finance - Billing, and Employees - Employee. However, I just discovered that the user can edit purchase orders created by Administrator. While the Purchases menu is not available to the user, the user can still access the PO via a link in the notes for a transfer order connected to a sales order. It was my understanding that if a user is not added to a security group, they do not have any access rights to the objects in that group. Is that incorrect? I have made no customizations to the security groups. Is there something I'm missing? Thank you in advance for any guidance.
Odoo is the world's easiest all-in-one management software.
It includes hundreds of business apps:
- CRM
- e-Commerce
- Accounting
- Inventory
- PoS
- Project management
- MRP
This question has been flagged
You are right Michael, But the problem is here
Accounting & Finance - Billing user have create and write permissions for Purchase Order.
You can check it from Settings/technical/database structure/models
search for purchase order and check in access rights tab.
Yes, thank you Subbarao. I found that later. I removed write access for the Billing security group in the ACL, as I don't believe a Billing user will need that access in this case. I was confused because I assumed that if a user wasn't added to a security group for Purchases, it would have no access to models under Purchases. I see now that is not a safe assumption. Thanks for your answer.
User permissions and access rights: https://goo.gl/4jAhtH