Access Rights

There are 5 levels of access rights: Model , Actions, Field, Button and Record Rule. They are based on the user’s group membership. If any of those levels are violated, an error is raised.

The access rights are checked if the Transaction.context has the key _check_access set to True (set by default by RPC.check_access) and if the user is not root.

Warning

The record rules are always enforced regardless of the _check_access value.

Model

They are defined by records of ir.model.access which define for each couple of model and group, the read, write, create and delete permission. The permissions are related to the ModelStorage methods with the same name and on search() using the read permission.

If any group the user belongs to has the checked permission activated, then the user is granted this permission.

If there is no record for the model, then access is granted to all users.

Note

Relation fields for which the user has no read access are automatically removed from the views.

Actions

Each ir.action has a groups field which contains a list of user groups that are allowed to see and launch it.

There is a special case for wizard for which the read access on the model is also checked and also the write access if there is no groups linked.

Field

They are defined by records of ir.model.field.access and work like those for Model but are applied to fields.

Note

Fields for which the user has no read access are automatically removed from the views.

Button

For each button of a model the records of ir.model.button define the list of groups that are allowed to call it. The user only needs to belong to one of the groups to be granted the permission to use it.

If no group is defined for a button, the write permission to the model is checked instead.

The read permission to the model is always enforced.

Note

Buttons for which the user has no access are marked readonly.

Button Rule

The ir.model.button can contain a list of rules which define how many different users must click on the button. Each rule, for which the condition is met, must be passed to actually trigger the action. The counter can be reset when another defined button is clicked.

Record Rule

The record rules are conditions that records must meet for the user to be granted permission to use them. They are defined by records of ir.rule.group which contains:

  • a model on which it applies
  • the permissions granted
  • a set of user groups to which the rule applies
  • a global flag to always enforce
  • a default flag to add to all users
  • a list of ir.rule with a domain to select the records to which the rule applies.

A rule group matches a record if the record is validated by at least one of the domains. The access is granted to a record:

  • if the user belongs to a group which has at least one matching rule group that has the permission,
  • or if there is a default matching rule group with the permission,
  • or if there is a global matching rule group with the permission.

Otherwise the access is denied if there is any matching rule group.

Note

Records for which the user has no read access are filtered out from the search() result.