On Odoo 12 is possible to create a user and assign to it the "Access rights" group. As pointed also in https://www.odoo.com/it_IT/forum/help-1/question/administration-settings-and-access-rights-7270 this user is now able to create another user with "Settings" group, and feels a little bit strange due to the fact that a user with "Settings" can manage the whole system including install or remove application and change system settings while a user with "Access Rights" group cannot, but actually has the possibility to create a user with "Settings" group who is actually a superuser.
How prevent user with "Access Rights" group to create user with "Settings" group?
Odoo is the world's easiest all-in-one management software.
It includes hundreds of business apps:
- CRM
- e-Commerce
- Accounting
- Inventory
- PoS
- Project management
- MRP
This question has been flagged
4
Replies
12147
Views
Hi Stefano:
One way to do this would be to do the following:
Ensure that the user with Administration / Access Rights does not have Extra Rights / Technical Features privileges. This will prevent the user from using the Settings > Users & Companies > Groups menu item to add a user directly to a security group.
Customize the "Users" form and make the Administration field accessible only to users in the Administration / Settings group by adding a groups="base.group_system" attribute to the field.
Hello,
I am using Odoo 14 Community Edition.
Can someone show me, please
where I can find the Administration / Settings to add groups = "base.group_system"?
Many Thanks
I don't think it is possible (as standard).
You are right that once you grant a user access to Administration (either of the two user access groups) you are giving them the ability to manage both Settings and User Access.
In a typical Odoo implementation this is probably OK, because you wouldn't have two separate people needing access to settings and user access. Do you have a requirement to set it up that way?
The method proposed from Paresh worked nice, thanks!
I also needed a couple of additional steps, because after this the user with "Access Rights" group is still able to clone/edit an user with "Settings" group, so:
added a record rule for the group "Access rights" to prevent edit all the users except administrator.
added a record rule for the group "Settings" to give the possibility to edit user adminstrator.
I don't think adding record rules will do the job because as long as the group "Access Rights" can edit record rules, it can modify all the security
