Typically, access rights in Odoo (user roles, groups, and permissions) are established during the initial Odoo deployment by an implementation partner. Business analysts encompass all the roles of current and future employees and define them during the discovery phase. Subsequently, a Odoo administrator has the ability to manage access rights on an individual basis.

As an example of the comprehensive documentation we provide throughout our Odoo projects, this guide is specifically tailored for tech-savvy individuals within your company, including system administrators, IT managers, and more. We understand that not every company has a dedicated system administrator, which is why we offer a range of support packages designed to assume all technical responsibilities – Contact us.

The relationship between Roles, Groups, Access Rights, Users, and Permissions in Odoo.

In Odoo, Users are individual accounts that are created within the system and assigned to one or more Groups. Each Group has their own set of Access Rights, which determine what actions users can perform within the system.

Business Roles

While groups occupy the top position in Odoo’s access rights hierarchy, let’s begin with business roles for a fuller understanding.

Roles are predefined sets of Groups that can be assigned to Users. Each Role / Group encompasses a defined set of Access Rights that determine what actions a User can perform within the system.

For example, there may be a Sales Manager Role that includes permissions to create and edit Sales Orders but not to create or delete Products.

Note, “Roles” is not a standard entity in Odoo. (However, in the screenshots below, this entity will be visible, since an additional module from OCA is installed.). More ↓

Groups

are a set of Access Rights. Groups can be used to assign permissions to multiple Users at once, rather than assigning permissions to each User individually.

For example, a Sales Team Group may include all Users in the Sales department who need access to Sales-related functions.

Access Rights

are the specific permissions that determine what actions a User can perform within the system. Access Rights can be assigned at the Group level, and they can be granted or denied for specific objects or fields within the system.

For example, a Group may have the right to view Sales Orders but not to edit them. 

Permissions

are the specific actions (CRUD – create, read, update/write, delete) that a Group can perform within the system. Permissions are assigned at the Access Right level, and they can be granted or denied for specific objects or fields within the system.

For example, a Group may have permission to create Sales Orders but not to delete them. 

Record Rules

are a type of Access Right that can be assigned to Groups to restrict access to specific records within a model.

For example, the User can have read access to the Sale Orders model (table), but the record rule can restrict access to certain records according to the conditions.

Note, Record rules have a higher level of priority than permissions.

Roles, Groups, Access Rights, Users, and Permissions in Odoo
The relationship between Roles, Groups, Access Rights, Users, and Permissions in Odoo

In this diagram, Groups are assigned to Users based on their historically established business roles, and these Groups define access to Models. Groups and Models have a unique combination of Access Rights. Access Rights define permissions and can be redefined by Record Rules. 

Each User has their own set of Access Rights, which determine what actions they can perform within the system. Permissions are assigned at the Access Right level, and they determine what specific actions a User can perform within the system.

Odoo access rights settings

Let’s consider each concept in more detail.

SMEs and large companies should handle user access rights with utmost care, particularly when faced with staff turnover. Read the following success story about an IT service company with 250 employees: 
From Budget Overruns to a Profitable Tech Company in Just 6 Months

Groups

odoo groups

The Groups menu in Odoo refers to a feature that allows you to manage user access and permissions within the system. In Odoo, you can create groups that define specific roles, such as “Sales Manager” or “Accounting Clerk,” and assign users to those groups based on their job responsibilities.

By default, Odoo comes with a number of predefined groups, such as “User” and “Administrator” (for some modules, such as Odoo E-commerce connectors, there are additional groups, for instance for Accounting) that have different system access levels. 

You can also create custom groups that are tailored to your organization’s specific needs.

Using the Groups menu in Odoo, you can perform a variety of tasks related to user access and permissions, including:

  • Creating new Groups and assigning Users to those groups.
odoo groups
  • Defining the access rights for each group, such as read, write, create, or delete permissions for specific modules or records.
define odoo groups
  • Managing the inheritance of access rights between groups, so that users who belong to multiple groups have the appropriate access level.
odoo group inheritance
  • Viewing and editing the access rights for individual users or groups.
  • Restricting access to certain areas of the system based on user roles and permissions.

Overall, the Groups menu in Odoo is an important tool for managing user access and permissions within the system and can help ensure that users have the appropriate level of access to the information and functionality they need to perform their job responsibilities.

Example of applying Groups in Ventor (Odoo inventory management mobile app):

Ventor PRO

Roles

odoo roles

In Odoo standard, there is no definition for Roles (it’s mostly a general business definition). In some of our projects, we use a module that defines the Roles based on the Groups. (A variety of ready-to-use modules are available in the Odoo store for defining business roles in Odoo.) However, such assignments are not obligatory. Toward the end of this article, you will find an example of an approach using standard Odoo. 

Each role may be associated with multiple users and vice versa; each user may be associated with multiple roles.

Once you have defined a new role, you can assign it to users in your system by going to their user record and selecting the appropriate role from the Roles tab.

Ref.: https://apps.odoo.com/apps/modules/18.0/base_user_role

Access Rights

Access Rights refer to the ability of a user or group to access or perform certain actions within the system. These actions can include creating, editing, deleting, or viewing records, as well as accessing certain menus, features, or buttons.

Access Rights are managed through the user groups. Each user group has a set of predefined access rights that determine what actions (C, R, U, or D) its members can perform within the system. 

Each Odoo module provides a variety of built-in user groups, each with its own set of access rights. Administrators can also create custom user groups and assign specific access rights to them as needed.

odoo access rights

The Access Rights on Groups allow managing only access rights to models. If we are talking about access to elements, one way this can be hidden/shown is through the Record Rules, and another way is through the code (XML file, Python, or JavaScript code).

What elements can be hidden: 

buttons (XML); 

menus (XML); 

menu items (XML); 

views (XML); 

fields (Python, XML); 

Also, checking access rights can be performed in Python or in JavaScript to define necessary action to be done by using this method.

Permissions

odoo permissions

In Odoo, permissions refer to the specific actions that a user or group is allowed or not allowed to perform within the system. Permissions are a subset of Access Rights and are used to further restrict or grant access to specific features or functions within the system. 

Odoo provides a wide range of permissions, including the ability to create, edit, delete, or view specific records, access certain menus or features, or perform specific actions within the system. Permissions can be assigned at the group, or record level, depending on the organization’s specific needs.

To grant specific access rights for a user, you need to create a new group (only for this single user).

For example, an administrator might assign the "Create" permission for Sales Orders to a specific user group, allowing its members to create new Sales Orders within the system. 
Alternatively, the administrator might assign the "Read" permission for Purchase Orders to a specific user, allowing them to view but not edit (“Write”) or delete Purchase Orders. 

By managing permissions, administrators can ensure that users have access only to the specific features and data they need to do their jobs, while also maintaining data security and preventing unauthorized access to sensitive information.

In exceptional cases, in order to skip permission, check that Odoo developers run some actions as “SUDO” (super) user. As a result, the system behavior can be differentiated from expected access rights data.

Record Rules

Odoo record rules

Record Rules are a type of Access Right that can be assigned to Groups to restrict access to specific records within a model. They allow you to define specific criteria for which records a user can see, create, edit, or delete.

Record Rules are defined using domain expressions, which are used to filter records based on specific criteria. For example, you might create a Record Rule that only allows users in a specific Group to view or edit records where the “responsible user” field matches their own user ID (see “Personal Orders” on the screen above).

Record Rules can be applied to any model in Odoo, including custom models created by the user. They can be used to restrict access to sensitive data, ensure data privacy, or prevent users from accidentally modifying or deleting important records.

Example of setting up access rights for a new user

In this video, you will learn how access rights are created using the example of a sales manager role.

odoo access rights

Ready to Streamline your Odoo Project for Maximum Efficiency?

Recommended articles:

  1. Odoo Implementation Steps
  2. Key Performance Indicators (KPIs) and their Role in Successful ERP Implementation
  3. 10 most common questions to the official Odoo partner
  4. Top 10 Reasons to Choose Odoo ERP for Your Business
  5. How a US Repair Company Scaled Up After Migrating from a Legacy System to Odoo
  6. From Manual to Automated: How Odoo ERP Helped a Swiss IT Service Company to Grow Turnover 2.5 Times

Team Lead at VentorTech || Website || + posts

----------------------------------------------------------------------
Education: Bachelor's degree.
----------------------------------------------------------------------
Experience:
- Business Analyst
- QA Engineer
VentorTech
----------------------------------------------------------------------
Current position: Team Lead VentorTech
----------------------------------------------------------------------
Odoo v14 and v16 Functional Certification

Business Analyst at VentorTech || Website || + posts

I'm a responsible, enthusiastic and goal-oriented team player Business Analyst with 3+ years of experience in web projects for companies in Europe and the USA. I have been involved in B2B and B2C projects.

I'm open to new knowledge and experience in business analysis and project management.