User permissions and access rights in Odoo 10
Hello. I am running Odoo 10 CE. I have a user configured to be allowed access only to sales related documents -- for use by a sales person. The sales person should not have access to anything under Purchases. Under Access Rights, the user has only been added to three security groups: Sales - User: All Documents, Accounting & Finance - Billing, and Employees - Employee. However, I just discovered that the user can edit purchase orders created by Administrator. While the Purchases menu is not available to the user, the user can still access the PO via a link in the notes for a transfer order connected to a sales order. It was my understanding that if a user is not added to a security group, they do not have any access rights to the objects in that group. Is that incorrect? I have made no customizations to the security groups. Is there something I'm missing? Thank you in advance for any guidance.