[IMP] general: users access rights rewrite
closes odoo/documentation#8401
X-original-commit: ae061c9041
Signed-off-by: Samuel Lieber (sali) <sali@odoo.com>
Signed-off-by: Timothy Kukulka (tiku) <tiku@odoo.com>
@ -1,67 +1,184 @@
|
||||
=============
|
||||
Access Rights
|
||||
Access rights
|
||||
=============
|
||||
|
||||
Activate the :ref:`developer mode <developer-mode>`, then go to :menuselection:`Settings --> Users &
|
||||
Companies --> Groups`.
|
||||
*Access rights* are permissions that determine the content and applications users can access and
|
||||
edit. In Odoo, these permissions can be set for individual users or for groups of users. Limiting
|
||||
permissions to only those who need them ensures that users do not modify or delete anything they
|
||||
should not have access to.
|
||||
|
||||
Groups
|
||||
======
|
||||
**Only** an *administrator* can change access rights.
|
||||
|
||||
| When choosing the groups the user can have access under
|
||||
:ref:`Access Rights <users/add-individual>`, details of the rules and inheritances of that group
|
||||
are not shown, so this is when the menu *Groups* comes along. *Groups* are created to define rules
|
||||
to models within an application.
|
||||
| Under *Users*, have a list of the current ones. The ones with administrative rights are shown
|
||||
in black.
|
||||
.. danger::
|
||||
Making changes to access rights can have a detrimental impact on the database. This includes
|
||||
*impotent admin*, which means that no user in the database can make changes to the access rights.
|
||||
For this reason, Odoo recommends contacting an Odoo Business Analyst, or our Support Team, before
|
||||
making changes.
|
||||
|
||||
.. image:: access_rights/groups-users.png
|
||||
.. tip::
|
||||
A user **must** have the specific *Administration* access rights set on their user profile, in
|
||||
order to make changes on another user's settings for access rights.
|
||||
|
||||
To access this setting, navigate to :menuselection:`Settings app --> Manage users --> select a
|
||||
user --> Access Rights tab --> Administration section --> Administration field`.
|
||||
|
||||
Once at the setting, an already existing administrator **must** change the setting in the
|
||||
:guilabel:`Administration` field to :guilabel:`Access Rights`.
|
||||
|
||||
Once complete, click :guilabel:`Save` to save the changes, and implement the user as an
|
||||
administrator.
|
||||
|
||||
Users
|
||||
=====
|
||||
|
||||
The access rights for :ref:`individual users <users/add-individual>` are set when the user is added
|
||||
to the database, but they can be adjusted at any point in the user's profile.
|
||||
|
||||
To make changes to a user's rights, click on the desired user to edit their profile.
|
||||
|
||||
.. image:: access_rights/navigate-to-users-menu.png
|
||||
:align: center
|
||||
:alt: View of a group’s form emphasizing the tab users in Odoo
|
||||
:alt: Users menu in the Users & Companies section of the Settings app of Odoo.
|
||||
|
||||
*Inherited* means that users added to this application group are automatically added to the
|
||||
following ones. In the example below, users who have access to the group *Administrator* of *Sales*
|
||||
also have access to *Website/Restricted Editor* and *Sales/User: All Documents*.
|
||||
On the user's profile page, in the :guilabel:`Access Rights` tab, scroll down to view the current
|
||||
permissions.
|
||||
|
||||
.. image:: access_rights/groups-inherited.png
|
||||
For each app, use the drop-down menu to select what level of permission this user should have. The
|
||||
options vary for each section, yet the most common are: :guilabel:`Blank/None`, :guilabel:`User: Own
|
||||
Documents`, :guilabel:`User: All Documents`, or :guilabel:`Administrator`.
|
||||
|
||||
The :guilabel:`Administration` field in the :guilabel:`Access Rights` tab has the following options:
|
||||
:guilabel:`Settings` or :guilabel:`Access Rights`.
|
||||
|
||||
.. image:: access_rights/user-permissions-dropdown-menu.png
|
||||
:align: center
|
||||
:height: 330
|
||||
:alt: View of a group’s form emphasizing the tab inherited in Odoo
|
||||
:alt: The Sales apps drop-down menu to set the user's level of permissions.
|
||||
|
||||
Create and modify groups
|
||||
========================
|
||||
|
||||
*Groups* are app-specific sets of permissions that are used to manage common access rights for a
|
||||
large amount of users. Administrators can modify the existing groups in Odoo, or create new ones to
|
||||
define rules for models within an application.
|
||||
|
||||
To access groups, first activate Odoo's :ref:`developer mode <developer-mode>`, then go to
|
||||
:menuselection:`Settings app --> Users & Companies --> Groups`.
|
||||
|
||||
.. image:: access_rights/click-users-and-companies.png
|
||||
:align: center
|
||||
:alt: Groups menu in the Users & Companies section of the Settings app of Odoo.
|
||||
|
||||
To create a new group from the :guilabel:`Groups` page, click :guilabel:`Create`. Then, from the
|
||||
blank group form, select an :guilabel:`Application`, and complete the group form (detailed below).
|
||||
|
||||
To modify existing groups, click on an existing group from the list displayed on the
|
||||
:guilabel:`Groups` page, and edit the contents of the form.
|
||||
|
||||
Enter a :guilabel:`Name` for the group and tick the checkbox next to :guilabel:`Share Group`, if
|
||||
this group was created to set access rights for sharing data with some users.
|
||||
|
||||
.. important::
|
||||
Remember to always test the settings being changed in order to ensure that they are being applied
|
||||
to the needed and right users.
|
||||
Always test the settings being changed to ensure they are being applied to the correct users.
|
||||
|
||||
The *Menus* tab is where you define which menus (models) the user can have access to.
|
||||
The group form contains multiple tabs for managing all elements of the group. In each tab, click
|
||||
:guilabel:`Add a line` to add a new row for users or rules, and click the :guilabel:`❌ (remove)`
|
||||
icon to remove a row.
|
||||
|
||||
.. image:: access_rights/groups-menus.png
|
||||
.. image:: access_rights/groups-form.png
|
||||
:align: center
|
||||
:height: 330
|
||||
:alt: View of a group’s form emphasizing the tab menus in Odoo
|
||||
:alt: Tabs in the Groups form to modify the settings of the group.
|
||||
|
||||
*Access Rights* rules are the first level of rights. The field is composed of the object name, which
|
||||
is the technical name given to a model. For each model, enable the following options as appropriate:
|
||||
- :guilabel:`Users` tab: lists the current users in the group. Users listed in black have
|
||||
administrative rights. Users without administrative access appear in blue. Click :guilabel:`Add a
|
||||
line` to add users to this group.
|
||||
- :guilabel:`Inherited` tab: inherited means that users added to this group are automatically added
|
||||
to the groups listed on this tab. Click :guilabel:`Add a line` to add inherited groups.
|
||||
|
||||
- *Read*: the values of that object can be only seen by the user.
|
||||
- *Write*: the values of that object can be edited by the user.
|
||||
- *Create*: values for that object can be created by the user.
|
||||
- *Delete*: the values of that object can be deleted by the user.
|
||||
.. example::
|
||||
For example, if the group *Sales/Administrator* lists the group *Website/Restricted Editor* in
|
||||
its :guilabel:`Inherited` tab, then any users added to the *Sales/Administrator* group
|
||||
automatically receive access to the *Website/Restricted Editor* group, as well.
|
||||
|
||||
.. image:: access_rights/groups-access-rights.png
|
||||
:align: center
|
||||
:alt: View of a group’s form emphasizing the tab access rights in Odoo
|
||||
- :guilabel:`Menus` tab: defines which menus/models the group can have access to. Click
|
||||
:guilabel:`Add a line` to add a specific menu.
|
||||
- :guilabel:`Views` tab: lists which views in Odoo the group has access to. Click :guilabel:`Add a
|
||||
line` to add a view to the group.
|
||||
- :guilabel:`Access Rights` tab: lists the first level of rights (models) that this group has access
|
||||
rights to. Click :guilabel:`Add a line` to link access rights to this group. In this tab, the
|
||||
:guilabel:`Model` column represents the common name of the menu/model, and the :guilabel:`Name`
|
||||
column represents the technical name given to the model. For each model, enable the following
|
||||
options as appropriate:
|
||||
|
||||
| As a second layer of editing and visibility rules, *Record Rules* can be formed. They overwrite,
|
||||
or refine, the *Access Rights*.
|
||||
| A record rule is written using a *Domain*. Domains are conditions used to filter or searching
|
||||
data. Therefore, a domain expression is a list of conditions. For each rule, choose among the
|
||||
following options: *Read*, *Write*, *Create* and *Delete* values.
|
||||
- :guilabel:`Read`: users can see the object's existing values.
|
||||
- :guilabel:`Write`: users can edit the object's existing values.
|
||||
- :guilabel:`Create`: users can create new values for the object.
|
||||
- :guilabel:`Delete`: users can delete values for the object.
|
||||
|
||||
.. image:: access_rights/groups-record-rules.png
|
||||
:align: center
|
||||
:alt: View of a group’s form emphasizing the tab record rules in Odoo
|
||||
.. tip::
|
||||
First try searching for the common name of the model in the drop-down menu of the
|
||||
:guilabel:`Model` column. The :guilabel:`Model` technical name can be found by expanding the
|
||||
model common name, which can be done by clicking the :guilabel:`(external link)` icon.
|
||||
|
||||
The model technical name can also be accessed in :ref:`developer mode <developer-mode>`.
|
||||
|
||||
On a form, navigate to any field, and hover over the field name. A box of backend information
|
||||
reveals itself with the specific Odoo :guilabel:`Object` name in the backend. This is the
|
||||
technical name of the model that should be added.
|
||||
|
||||
.. image:: access_rights/technical-info.png
|
||||
:align: center
|
||||
:alt: Technical information shown on a field of a model, with object highlighted.
|
||||
|
||||
- :guilabel:`Record Rules`: lists the second layer of editing and visibility rights.
|
||||
:guilabel:`Record Rules` overwrite, or refine, the group's access rights. Click :guilabel:`Add a
|
||||
line` to add a record rule to this group. For each rule, choose values for the following options:
|
||||
|
||||
- :guilabel:`Apply for Read`.
|
||||
- :guilabel:`Apply for Write`.
|
||||
- :guilabel:`Apply for Create`.
|
||||
- :guilabel:`Apply for Delete`.
|
||||
|
||||
.. important::
|
||||
Record rules are written using a *domain*, or conditions that filter data. A domain expression
|
||||
is a list of such conditions. For example:
|
||||
|
||||
`[('mrp_production_ids', 'in', user.partner_id.commercial_partner_id.production_ids.ids)]`
|
||||
|
||||
This record rule is to enable MRP consumption warnings for subcontractors.
|
||||
|
||||
Odoo has a library of preconfigured record rules for ease of use. Users without knowledge of
|
||||
domains (and domain expressions) should consult an Odoo Business Analyst, or the Odoo Support
|
||||
Team, before making changes.
|
||||
|
||||
Superuser mode
|
||||
==============
|
||||
|
||||
*Superuser mode* allows the user to bypass record rules and access rights. To activate *Superuser
|
||||
mode*, first, activate :ref:`developer mode <developer-mode>`. Then, navigate to the *debug* menu,
|
||||
represented by a :guilabel:`🪲 (bug)` icon, located in the top banner.
|
||||
|
||||
Finally, towards the bottom of the menu, click :guilabel:`Become Superuser`.
|
||||
|
||||
.. important::
|
||||
Making changes in access rights can have a big impact on the database. For this reason, we
|
||||
recommend you to contact your Odoo Business Analyst or our Support Team, unless you have
|
||||
knowledge about Domains in Odoo.
|
||||
Only users with *Settings* access for the *Administration* section of the *Access Rights* (in
|
||||
their user profile) are allowed to log in to *Superuser mode*.
|
||||
|
||||
.. danger::
|
||||
*Superuser mode* allows for circumvention of record rules and access rights, and therefore,
|
||||
should be exercised with extreme caution.
|
||||
|
||||
Upon exiting *Superuser mode*, users may be locked out of the database, due to changes that were
|
||||
made. This can cause *impotent admin*, or an administrator without the ability to change access
|
||||
rights/settings.
|
||||
|
||||
In this case contact Odoo Support here: `new help ticket <https://www.odoo.com/help>`_. The
|
||||
support team is able to restore access using a support login.
|
||||
|
||||
To leave *Superuser mode*, log out of the account, by navigating to the upper-right corner, and
|
||||
clicking on the :guilabel:`OdooBot` username. Then, select the :guilabel:`Log out` option.
|
||||
|
||||
.. tip::
|
||||
An alternative way to activate *Superuser mode* is to login as a superuser. To do that, navigate
|
||||
to the login screen, and enter the appropriate :guilabel:`Email` and :guilabel:`Password`.
|
||||
|
||||
Instead of clicking :guilabel:`Login`, click :guilabel:`Log in as superuser`.
|
||||
|
After Width: | Height: | Size: 9.5 KiB |
Before Width: | Height: | Size: 46 KiB |
BIN
content/applications/general/users/access_rights/groups-form.png
Normal file
After Width: | Height: | Size: 14 KiB |
Before Width: | Height: | Size: 22 KiB |
Before Width: | Height: | Size: 27 KiB |
Before Width: | Height: | Size: 40 KiB |
Before Width: | Height: | Size: 44 KiB |
After Width: | Height: | Size: 9.3 KiB |
After Width: | Height: | Size: 30 KiB |
After Width: | Height: | Size: 8.9 KiB |