Introduction

I've created a new category of security groups, and I've created several groups which belong to it.

My purpose is that the user who creates a new user, has to interact only with the groups I've created, not the default ones of Sales, Purchases, Accounting, etc... For example, if you belong to a group I've created, named Controller, it implies that you're going to belong also to the groupsbase.group_user, account.group_account_invoice, purchase.group_purchase_user andstock.group_stock_manager.

Code

This is the code of two of my groups (named Controller and CFO):

<record id="group_my_controller" model="res.groups">
    <field name="name">Controller</field>
    <field name="category_id" ref="module_category_management"/>
    <field name="implied_ids" eval="[
        (4, ref('base.group_user')),
        (4, ref('account.group_account_invoice')),
        (4, ref('purchase.group_purchase_user')),
        (4, ref('stock.group_stock_manager')),
    ]"/>
    <field name="users" eval="[(4, ref('base.user_root'))]"/>
</record>

<record id="group_my_cfo" model="res.groups">
    <field name="name">CFO</field>
    <field name="category_id" ref="module_category_management"/>
    <field name="implied_ids" eval="[
        (4, ref('base.group_user')),
        (4, ref('base.group_sale_manager')),
        (4, ref('stock.group_stock_manager')),
        (4, ref('account.group_account_manager')),
        (4, ref('purchase.group_purchase_manager')),
        (4, ref('share.group_share_user')),
        (4, ref('base.group_system')),
        (4, ref('project.group_project_manager')),
        (4, ref('base.group_document_user')),
        (4, ref('base.group_hr_manager')),
        (4, ref('marketing.group_marketing_manager')),
        (4, ref('base.group_website_designer')),
    ]"/>
    <field name="users" eval="[(4, ref('base.user_root'))]"/>
</record>

This works well, if I create a user and I set it as Controller for example, the permissions ofAccounting, Purchases and Stock are automatically filled in with the specified ones.

The problem

The problem is when you set an user as CFO and save, and then change your mind and set it asController. When you save, the user keeps the groups of CFO, instead of moving to the groups of Controller. I think that is because CFO ones are less restrictive, because if you do this process the other way around, the permissions of Controller are rightly moved to CFO.

How can I achieve my purpose? Any ideas, please?