The record rules are always enforced regardless of the _check_access value.
They are defined by records of
ir.model.access which define for each couple
of model and group, the
permission. The permissions are related to the
ModelStorage methods with the same name and on
search() using the
If any group the user belongs to has the checked permission activated, then the user is granted this permission.
If there is no record for the model, then access is granted to all users.
Relation fields for which the user has no read access are automatically removed from the views.
ir.action has a
groups field which contains a list of user groups
that are allowed to see and launch it.
There is a special case for wizard for which the read access on the model is also checked and also the write access if there is no groups linked.
Fields for which the user has no read access are automatically removed from the views.
The record rules are conditions that records must meet for the user to be granted permission to use them. They are defined by records of ir.rule.group which contains:
- a model on which it applies
- the permissions granted
- a set of user groups to which the rule applies
- a global flag to always enforce
- a default flag to add to all users
- a list of ir.rule with a domain to select the records to which the rule applies.
A rule group matches a record if the record is validated by at least one of the domains. The access is granted to a record:
- if the user belongs to a group which has at least one matching rule group that has the permission,
- or if there is a default matching rule group with the permission,
- or if there is a global matching rule group with the permission.
Otherwise the access is denied if there is any matching rule group.
Records for which the user has no
read access are filtered out from the