Skip to Content
This question has been flagged
securityfieldsusersgroupaccessrights
1 Reply
10895 Views
Avatar
Bienvenido Villabroza

I am using Odoo 13 and I need to set field level access rights on the object level.

I have a Driver group and a Car object.

The Car object has three attributes: door_number, tire_brand, and bank_id.
I need the following:

1) door_number to be read only

2) tire_brand to be read and write only

3) band_id to be inaccessible to the Driver group.


I know I can edit the view as seen here: https://www.odoo.com/forum/help-1/question/how-to-apply-field-level-access-rights-for-user-19481
This would make the appropriate changes on the view level but the object access rights will not be affected. That would be a security risk.

I also know that I can set the accessible fields on the model itself as seen here: https://www.odoo.com/documentation/13.0/reference/security.html#field-access

However, that would take away both the read and write access rights of all groups unstated in the groups attribute. That will make my previously stated "1) door_number to be read only" impossible to do.

Is there a way to achieve my needs using Odoo 13? I need field level access rights.


Avatar
Discard
Avatar
Ray Carnes (ray)
Best Answer

Did you try adding base.group_user to the groups attribute for each field that you want to be accessed by Internal Users (everyone)?

Every internal user is a member.

Then, set your read-only fields and add other groups where you only want specific groups to have access.

Avatar
Discard
Bienvenido Villabroza
Author

I have not tried doing that. I was not aware that was an option. Thank you for sharing. However, what do you mean by "set your read-only fields?" Do you mean set them from my views? I would like the field (not just the form) to be secure from unauthorized access.

Ray Carnes (ray)

I mean use the READONLY (or STATES) attribute at the field level.

Bienvenido Villabroza
Author

According to the documentation, "this only has an impact on the UI." https://www.odoo.com/documentation/13.0/reference/orm.html#fields

Is there a way of securing the system in the database level (not just the form level).

Ray Carnes (ray)

The documentation is meaning to convey that users have no way to set values for these fields directly (even by importing) but the API can still be used to give them a value - programatically. Odoo users don't have direct access to PostgreSQL. You only have to control database level access for users YOU give access to the database. If you mean the Odoo business object level, then GROUPS (which can be assigned at the field level) provide what you ask. See the "FIELD ACCESS" section of https://www.odoo.com/documentation/13.0/reference/security.html

Bienvenido Villabroza
Author

You said that "the API can still be used to give them a value - programatically." I thought anyone can access the API? Or do they have to be a PostgreSQL user?

Also, for the link you sent, the documentation says "attempts to (explicitly) read from or write to restricted fields results in an access error." I can't distinguish from read and write with the groups attribute. I need that distinction.

Related Posts Replies Views Activity
Keep Getting "The user cannot have more than one user types." Solved
security users group
Avatar
1
Nov 21
6818
How to hide field from the specific user Solved
security fields hide group odoo12.0
Avatar
Avatar
1
Feb 21
13249
Cannot save the custom group for users in user access rights in Odoo 13 Solved
security users group record_rules Odoo13.0
Avatar
Avatar
1
Dec 19
4700
How to identify which access should give to the specific user as per below error?
security users operation odoo10 accessrights
Avatar
Avatar
1
Aug 17
4822
Users & Group
users group
Avatar
Avatar
2
Sep 22
4903