Hey guys,
I'm setting up a new Odoo db right now and I want to create an access group that has read and write access to contacts, only if the custom selection field x_type in a contact has the value "value1".
This is my only access right in this group:
name: ​ ​model: ​read: ​ ​write:

res.partner ​contact ​yes ​ ​yes

This is the only record rule:
name: ​​model: ​domain: ​ ​ ​ ​read: ​ ​write:

value1 ​​contact ​[('x_type','=','value1')] ​ ​yes ​ ​yes

The problem is that the user in this group can still read and write to all contacts even though he is in no other access groups besides "internal user". Also "creating contact" in the user settings is deactivated.
Apparently, the access right works, but the record rule is not restricting the access right.

I have the free version 16 installed on debian 11 with the crm, contacts and mass mailing modules.

Can anyone help me with this problem? Is the domain maybe wrong or is there anything else I have to set up?