Yes. Use Recored Rule with a domain like
Here is odony's detailed answer on SO for a similar questions:
OpenERP has two kinds of security restrictions that can be assigned to a user group:
- Access Rights are CRUD yes/no flags (similar to Unix FS permissions), and allow per-model access control. They state whether members of this group may perform a Create, Read, Update, and Delete operation on any document of a certain document model (e.g. a project task). The default policy is DENY, so by default any operation will be refused if the user does not explicitly have the right to perform it via one of her groups' access rights.
- Record Rules are filters applied on CRUD operations, and allow per-document access-control, once access right are already granted. Users will only be able to perform an operation on a given document if the document matches at least one of the record rules. The default policy is ALLOW, so if no rule exists for a given model, all documents of that model may be accessed by users who have the necessary access rights.
Both Access Rights and Record Rules may also be defined globally without assigning them to a specific group, in which case they apply to everyone. There is one pitfall for Record Rules: global rules may NOT be relaxed by other rules (on purpose!), so use with care.
In your case it looks like you should define one extra Record Rule on the Project User group that explicitly restricts access on Project Tasks to your own tasks (and presumably those that are not assigned yet). You need to create a new entry in the Security Rules menu with these parameters:
See own tasks only
- (means: your own tasks and unassigned ones)
- apply for read:
- apply for write:
- apply for create:
- apply for delete:
Project / User
domain of a record rule is a standard OpenERP domain that is evaluated on the records on which you are trying to perform the operation, and can refer to a
user variable that contains the current user's data (technically, a
browse_record on the current user). Look for
search() in the list of ORM methods for a full description of
If you want to allow special users (e.g. Project Managers) to view all tasks in the system, you can relax this rule for them by adding another rule to the Project Manager group which allows access to all tasks. There is a special "domain filter" that means "ALLOW ALL" and is useful to relax another stricter rule:
Note: Have a look at the existing Record Rules to see what they're doing first, and be sure to read the explanations on the Record Rule form when you are adding yours. And remember that if you do something wrong with Access Rights and Record Rules, you can always fix the mess with the
admin account, as these security restrictions do not apply to the
admin (similarly to the
root user on Unix).
For completeness, I should add that OpenERP 7.0 added a limited field/column access control. It is all-or-nothing for now; no specific read, write or create control.
For more information on different field-level access control methods check this answer.
Please try to give a substantial answer. If you wanted to comment on the question or answer, just use the commenting tool. Please remember that you can always revise your answers - no need to answer the same question twice. Also, please don't forget to vote - it really helps to select the best questions and answers!
About This Community
|Asked: 2/21/13, 2:54 AM|
|Seen: 11901 times|
|Last updated: 8/11/16, 8:29 AM|