.. _topics-access_rights: ============= Access Rights ============= There are 5 levels of access rights: `Model`_ , `Actions`_, `Field`_, `Button`_ and `Record Rule`_. They are based on the user's group membership. If any of those levels are violated, an error is raised. The access rights are checked if the :attr:`Transaction.context ` has the key ``_check_access`` set to ``True`` (set by default by :attr:`RPC.check_access `) and if the :attr:`~trytond.transaction.Transaction.user` is not ``root``. Model ===== They are defined by records of ``ir.model.access`` which define for each couple of model and group, the ``read``, ``write``, ``create`` and ``delete`` permission. The permissions are related to the :class:`~trytond.model.ModelStorage` methods with the same name and on :meth:`~trytond.model.ModelStorage.search` using the ``read`` permission. If any group the user belongs to has the checked permission activated, then the user is granted this permission. If there is no record for the model, then access is granted to all users. .. note:: Relation fields for which the user has no read access are automatically removed from the :ref:`views `. Actions ======= Each ``ir.action`` has a ``groups`` field which contains a list of user groups that are allowed to see and launch it. There is a special case for :ref:`wizard ` for which the read access on the model is also checked and also the write access if there is no groups linked. Field ===== They are defined by records of ``ir.model.field.access`` and work like those for `Model`_ but are applied to :ref:`fields `. .. note:: Fields for which the user has no read access are automatically removed from the :ref:`views `. Button ====== For each button of a model the records of ``ir.model.button`` define the list of groups that are allowed to call it. The user only needs to belong to one of the groups to be granted the permission to use it. If no group is defined for a button, the ``write`` permission to the model is checked instead. The ``read`` permission to the model is always enforced. .. note:: Buttons for which the user has no access are marked readonly. Button Rule ----------- The ``ir.model.button`` can contain a list of rules which define how many different users must click on the button. Each rule, for which the condition is met, must be passed to actually trigger the action. The counter can be reset when another defined button is clicked. Record Rule =========== The record rules are conditions that records must meet for the user to be granted permission to use them. They are defined by records of ``ir.rule.group`` which contains: - a model on which it applies - the permissions granted - a set of user groups to which the rule applies - a global flag to always enforce - a default flag to add to all users - a list of ``ir.rule`` with a :ref:`domain ` to select the records to which the rule applies. A rule group matches a record if the record is validated by at least one of the domains. The access is granted to a record: - if the user belongs to a group which has at least one matching rule group that has the permission, - or if there is a default matching rule group with the permission, - or if there is a global matching rule group with the permission. Otherwise the access is denied if there is any matching rule group. .. note:: Records for which the user has no ``read`` access are filtered out from the :meth:`~trytond.model.ModelStorage.search` result.