1 .. _reference/security:
7 Aside from manually managing access using custom code, Odoo provides two main
8 data-driven mechanisms to manage or restrict access to data.
10 Both mechanisms are linked to specific users through *groups*: a user belongs
11 to any number of groups, and security mechanisms are associated to groups,
12 thus applying security mechamisms to users.
14 .. _reference/security/acl:
19 Managed by the ``ir.model.access`` records, defines access to a whole model.
21 Each access control has a model to which it grants permissions, the
22 permissions it grants and optionally a group.
24 Access controls are additive, for a given model a user has access all
25 permissions granted to any of its groups: if the user belongs to group *A*
26 which allows writing and group *B* which allows deleting, he can both write
29 If no group is specified, the access control applies to all users, otherwise
30 it only applies to the users belonging to the specific group.
32 Available permissions are creation (``perm_create``), searching and reading
33 (``perm_read``), updating existing records (``perm_write``) and deleting
34 existing records (``perm_unlink``)
36 .. _reference/security/rules:
41 Record rules are conditions that records must satisfy for an operation
42 (create, read, update or delete) to be allowed. It is applied record-by-record
43 after access control has been applied.
47 * a model on which it applies
48 * a set of permissions to which it applies (e.g. if ``perm_read`` is set, the
49 rule will only be checked when reading a record)
50 * a set of user groups to which the rule applies, if no group is specified
52 * a :ref:`domain <reference/orm/domains>` used to check whether a given record
53 matches the rule (and is accessible) or does not (and is not accessible).
54 The domain is evaluated with two variables in context: ``user`` is the
55 current user's record and ``time`` is the `time module`_
57 Global rules and group rules (rules restricted to specific groups versus
58 groups applying to all users) are used quite differently:
60 * Global rules are subtractive, they *must all* be matched for a record to be
62 * Group rules are additive, if *any* of them matches (and all global rules
63 match) then the record is accessible
65 This means the first *group rule* restricts access, but any further
66 *group rule* expands it, while *global rules* can only ever restrict access
69 .. warning:: record rules do not apply to the Administrator user
72 although access rules do
79 An ORM :class:`~openerp.fields.Field` can have a ``groups`` attribute
80 providing a list of groups (as a comma-separated string of
81 :term:`external identifiers`).
83 If the current user is not in one of the listed groups, he will not have
86 * restricted fields are automatically removed from requested views
87 * restricted fields are removed from :meth:`~openerp.models.Model.fields_get`
89 * attempts to (explicitly) read from or write to restricted fields results in
94 field access groups apply to administrator in fields_get but not in
97 Workflow transition rules
98 =========================
100 Workflow transitions can be restricted to a specific group. Users outside the
101 group can not trigger the transition.
103 .. _foo: http://google.com
104 .. _time module: https://docs.python.org/2/library/time.html