Hello all,

If a user belongs to a custom group that already has specific access rights (e.g., inherits Product Manager access), then the system should apply the existing selected access (e.g., Product User).

In this case, Odoo combines (unions) access rights, so the user effectively gets higher access (e.g., Product Admin). That's not a problem

If the user belongs to a custom group without defined access rights, then:

• The existing access (e.g., Product User) should NOT be applied

• The user should only have read access

• Create, Update, and Delete operations should be disabled
  
  

Issue

• XML approach: Does not work as expected; access rights are not restricted

• Python (override): Raises AccessError, but does not prevent UI actions (Create/Update/Delete still visible and only restricted on save)
  
  

Expected Behavior

• If no access is defined in the custom group → user should have read-only access

• Create, Update, and Delete should be completely disabled (not just fail on save)

This logic needs to be applied to:

• Product (including variants)

• Stock
  
  

What is the correct approach to enforce this behavior in Odoo?

• Is there a clean way to control this via security rules or groups?

• Or is a UI-level restriction (views) required along with access rules?

NOTE:  

• Odoo 19e+
• No Need Record rules

Any suggestions on how to handle this would be very helpful. 

I look forward to your guidance!