Setting up rules' Access Right in xml,csv files

I created new module depends on Project Management, i want to add new Groups,users,rules and Access controls in security folder. I successfully added groups and users, and for some extend Access Controls.

My Question is: how to specify the access right(Read/Write/Create/Delete) for every rule?.

For example: 1.User can create/read/write tasks (ACL) 2.User can read/modify only tasks assigned to him (Rule) 3.Project managers can see all tasks in their projects (Rule)

I couldn't find a documentation for this point, any links or explanations?

Access Right This is how you can give read/write/create/delete rights in group on particular object by creating ir.model.access.csv file. See line number 1 & 2.


Access Rules This is how you can create access rules for particular object and groups by creating xml file.

For example:

    <record model="ir.rule" id="ir_values_my_costume_rule">
        <field name="name">My Rule Name</field>
        <field name="model_id" ref="model_your_model_name"/>
        <field name="domain_force">[('field','operator','value'),('user_id','=',user.id)]</field>
        <field name="perm_read" eval="True"/>
        <field name="perm_write" eval="True"/>
        <field name="perm_unlink" eval="True"/>
        <field name="perm_create" eval="True"/>
    </record>

You must pass model_ before model name in <field name="model_id" ref="model_your_model_name"/> like this: model_sale_order or model_project_task.

Here in eval you can either pass True or False as per you need.


Record Rules can be defined from the menu also without creating any file : Settings->Technical->Security->Record Rules.

There are three main fields that you need to configure carefully in order to define "Record Rule"

  1. Object: On which you want to apply record rule. (in this example it is "Task" object).
  2. Domain: Setup domain for filtering the data.
  3. Groups: Add group for which you want to apply this record rule. If nothing to add then this rule is apply globally which is usually used to configuring multi-company record rule.

I am going to explain such access rule by taking the example of "Task" object of OpenERP.

In my example, suppose my requirement is like this:

The user 'rch' can access only list of tasks of following kind...

  1. list of all tasks which is not assigned to any user. i.e.('user_id','=',False)
  2. list of all tasks Which is assigned to user 'rch'. i.e.('user_id','=',user.id)
  3. list of all tasks of all the project's for which he is a member of. i.e.('project_id.members','in', [user.id])
  4. list of all tasks of the project for which he is a project manager. i.e.('project_id.user_id','=',user.id)

Configure your record rule as follow:

  1. Name: Tasks According to User and Project.
  2. Object: Task.
  3. Domain: ['|','|','|',('user_id','=',False),('user_id','=',user.id),('project_id.members','in', [user.id]),('project_id.user_id','=',user.id)].
  4. Groups: project/User.

Now add this group (project/User) to user 'rch'.

Need more info?

This documentation page has been extracted from the Q&A section where you can discuss it and get feedback.
Related question