[IMP] general: users access rights rewrite

closes odoo/documentation#8401

X-original-commit: ae061c9041
Signed-off-by: Samuel Lieber (sali) <sali@odoo.com>
Signed-off-by: Timothy Kukulka (tiku) <tiku@odoo.com>

content/applications/general/users/access_rights.rst

@@ -1,67 +1,184 @@
 =============
-Access Rights
+Access rights
 =============
 
-Activate the :ref:`developer mode <developer-mode>`, then go to :menuselection:`Settings --> Users &
-Companies --> Groups`.
+*Access rights* are permissions that determine the content and applications users can access and
+edit. In Odoo, these permissions can be set for individual users or for groups of users. Limiting
+permissions to only those who need them ensures that users do not modify or delete anything they
+should not have access to.
 
-Groups
-======
+**Only** an *administrator* can change access rights.
 
-| When choosing the groups the user can have access under
-  :ref:`Access Rights <users/add-individual>`, details of the rules and inheritances of that group
-  are not shown, so this is when the menu *Groups* comes along. *Groups* are created to define rules
-  to models within an application.
-| Under *Users*, have a list of the current ones. The ones with administrative rights are shown
-  in black.
+.. danger::
+   Making changes to access rights can have a detrimental impact on the database. This includes
+   *impotent admin*, which means that no user in the database can make changes to the access rights.
+   For this reason, Odoo recommends contacting an Odoo Business Analyst, or our Support Team, before
+   making changes.
 
-.. image:: access_rights/groups-users.png
+.. tip::
+   A user **must** have the specific *Administration* access rights set on their user profile, in
+   order to make changes on another user's settings for access rights.
+
+   To access this setting, navigate to :menuselection:`Settings app --> Manage users --> select a
+   user --> Access Rights tab --> Administration section --> Administration field`.
+
+   Once at the setting, an already existing administrator **must** change the setting in the
+   :guilabel:`Administration` field to :guilabel:`Access Rights`.
+
+   Once complete, click :guilabel:`Save` to save the changes, and implement the user as an
+   administrator.
+
+Users
+=====
+
+The access rights for :ref:`individual users <users/add-individual>` are set when the user is added
+to the database, but they can be adjusted at any point in the user's profile.
+
+To make changes to a user's rights, click on the desired user to edit their profile.
+
+.. image:: access_rights/navigate-to-users-menu.png
    :align: center
-   :alt: View of a group’s form emphasizing the tab users in Odoo
+   :alt: Users menu in the Users & Companies section of the Settings app of Odoo.
 
-*Inherited* means that users added to this application group are automatically added to the
-following ones. In the example below, users who have access to the group *Administrator* of *Sales*
-also have access to *Website/Restricted Editor* and *Sales/User: All Documents*.
+On the user's profile page, in the :guilabel:`Access Rights` tab, scroll down to view the current
+permissions.
 
-.. image:: access_rights/groups-inherited.png
+For each app, use the drop-down menu to select what level of permission this user should have. The
+options vary for each section, yet the most common are: :guilabel:`Blank/None`, :guilabel:`User: Own
+Documents`, :guilabel:`User: All Documents`, or :guilabel:`Administrator`.
+
+The :guilabel:`Administration` field in the :guilabel:`Access Rights` tab has the following options:
+:guilabel:`Settings` or :guilabel:`Access Rights`.
+
+.. image:: access_rights/user-permissions-dropdown-menu.png
    :align: center
-   :height: 330
-   :alt: View of a group’s form emphasizing the tab inherited in Odoo
+   :alt: The Sales apps drop-down menu to set the user's level of permissions.
+
+Create and modify groups
+========================
+
+*Groups* are app-specific sets of permissions that are used to manage common access rights for a
+large amount of users. Administrators can modify the existing groups in Odoo, or create new ones to
+define rules for models within an application.
+
+To access groups, first activate Odoo's :ref:`developer mode <developer-mode>`, then go to
+:menuselection:`Settings app --> Users & Companies --> Groups`.
+
+.. image:: access_rights/click-users-and-companies.png
+   :align: center
+   :alt: Groups menu in the Users & Companies section of the Settings app of Odoo.
+
+To create a new group from the :guilabel:`Groups` page, click :guilabel:`Create`. Then, from the
+blank group form, select an :guilabel:`Application`, and complete the group form (detailed below).
+
+To modify existing groups, click on an existing group from the list displayed on the
+:guilabel:`Groups` page, and edit the contents of the form.
+
+Enter a :guilabel:`Name` for the group and tick the checkbox next to :guilabel:`Share Group`, if
+this group was created to set access rights for sharing data with some users.
 
 .. important::
-   Remember to always test the settings being changed in order to ensure that they are being applied
-   to the needed and right users.
+   Always test the settings being changed to ensure they are being applied to the correct users.
 
-The *Menus* tab is where you define which menus (models) the user can have access to.
+The group form contains multiple tabs for managing all elements of the group. In each tab, click
+:guilabel:`Add a line` to add a new row for users or rules, and click the :guilabel:`❌ (remove)`
+icon to remove a row.
 
-.. image:: access_rights/groups-menus.png
+.. image:: access_rights/groups-form.png
    :align: center
-   :height: 330
-   :alt: View of a group’s form emphasizing the tab menus in Odoo
+   :alt: Tabs in the Groups form to modify the settings of the group.
 
-*Access Rights* rules are the first level of rights. The field is composed of the object name, which
-is the technical name given to a model. For each model, enable the following options as appropriate:
+- :guilabel:`Users` tab: lists the current users in the group. Users listed in black have
+  administrative rights. Users without administrative access appear in blue. Click :guilabel:`Add a
+  line` to add users to this group.
+- :guilabel:`Inherited` tab: inherited means that users added to this group are automatically added
+  to the groups listed on this tab. Click :guilabel:`Add a line` to add inherited groups.
 
-- *Read*: the values of that object can be only seen by the user.
-- *Write*: the values of that object can be edited by the user.
-- *Create*: values for that object can be created by the user.
-- *Delete*: the values of that object can be deleted by the user.
+  .. example::
+     For example, if the group *Sales/Administrator* lists the group *Website/Restricted Editor* in
+     its :guilabel:`Inherited` tab, then any users added to the *Sales/Administrator* group
+     automatically receive access to the *Website/Restricted Editor* group, as well.
 
-.. image:: access_rights/groups-access-rights.png
-   :align: center
-   :alt: View of a group’s form emphasizing the tab access rights in Odoo
+- :guilabel:`Menus` tab: defines which menus/models the group can have access to. Click
+  :guilabel:`Add a line` to add a specific menu.
+- :guilabel:`Views` tab: lists which views in Odoo the group has access to. Click :guilabel:`Add a
+  line` to add a view to the group.
+- :guilabel:`Access Rights` tab: lists the first level of rights (models) that this group has access
+  rights to. Click :guilabel:`Add a line` to link access rights to this group. In this tab, the
+  :guilabel:`Model` column represents the common name of the menu/model, and the :guilabel:`Name`
+  column represents the technical name given to the model. For each model, enable the following
+  options as appropriate:
 
-| As a second layer of editing and visibility rules, *Record Rules* can be formed. They overwrite,
-  or refine, the *Access Rights*.
-| A record rule is written using a *Domain*. Domains are conditions used to filter or searching
-  data. Therefore, a domain expression is a list of conditions. For each rule, choose among the
-  following options: *Read*, *Write*, *Create* and *Delete* values.
+  - :guilabel:`Read`: users can see the object's existing values.
+  - :guilabel:`Write`: users can edit the object's existing values.
+  - :guilabel:`Create`: users can create new values for the object.
+  - :guilabel:`Delete`: users can delete values for the object.
 
-.. image:: access_rights/groups-record-rules.png
-   :align: center
-   :alt: View of a group’s form emphasizing the tab record rules in Odoo
+  .. tip::
+     First try searching for the common name of the model in the drop-down menu of the
+     :guilabel:`Model` column. The :guilabel:`Model` technical name can be found by expanding the
+     model common name, which can be done by clicking the :guilabel:`(external link)` icon.
+
+     The model technical name can also be accessed in :ref:`developer mode <developer-mode>`.
+
+     On a form, navigate to any field, and hover over the field name. A box of backend information
+     reveals itself with the specific Odoo :guilabel:`Object` name in the backend. This is the
+     technical name of the model that should be added.
+
+     .. image:: access_rights/technical-info.png
+        :align: center
+        :alt: Technical information shown on a field of a model, with object highlighted.
+
+- :guilabel:`Record Rules`: lists the second layer of editing and visibility rights.
+  :guilabel:`Record Rules` overwrite, or refine, the group's access rights. Click :guilabel:`Add a
+  line` to add a record rule to this group. For each rule, choose values for the following options:
+
+  - :guilabel:`Apply for Read`.
+  - :guilabel:`Apply for Write`.
+  - :guilabel:`Apply for Create`.
+  - :guilabel:`Apply for Delete`.
+
+  .. important::
+     Record rules are written using a *domain*, or conditions that filter data. A domain expression
+     is a list of such conditions. For example:
+
+     `[('mrp_production_ids', 'in', user.partner_id.commercial_partner_id.production_ids.ids)]`
+
+     This record rule is to enable MRP consumption warnings for subcontractors.
+
+     Odoo has a library of preconfigured record rules for ease of use. Users without knowledge of
+     domains (and domain expressions) should consult an Odoo Business Analyst, or the Odoo Support
+     Team, before making changes.
+
+Superuser mode
+==============
+
+*Superuser mode* allows the user to bypass record rules and access rights. To activate *Superuser
+mode*, first, activate :ref:`developer mode <developer-mode>`. Then, navigate to the *debug* menu,
+represented by a :guilabel:`🪲 (bug)` icon, located in the top banner.
+
+Finally, towards the bottom of the menu, click :guilabel:`Become Superuser`.
 
 .. important::
-   Making changes in access rights can have a big impact on the database. For this reason, we
-   recommend you to contact your Odoo Business Analyst or our Support Team, unless you have
-   knowledge about Domains in Odoo.
+   Only users with *Settings* access for the *Administration* section of the *Access Rights* (in
+   their user profile) are allowed to log in to *Superuser mode*.
+
+.. danger::
+   *Superuser mode* allows for circumvention of record rules and access rights, and therefore,
+   should be exercised with extreme caution.
+
+   Upon exiting *Superuser mode*, users may be locked out of the database, due to changes that were
+   made. This can cause *impotent admin*, or an administrator without the ability to change access
+   rights/settings.
+
+   In this case contact Odoo Support here: `new help ticket <https://www.odoo.com/help>`_. The
+   support team is able to restore access using a support login.
+
+To leave *Superuser mode*, log out of the account, by navigating to the upper-right corner, and
+clicking on the :guilabel:`OdooBot` username. Then, select the :guilabel:`Log out` option.
+
+.. tip::
+   An alternative way to activate *Superuser mode* is to login as a superuser. To do that, navigate
+   to the login screen, and enter the appropriate :guilabel:`Email` and :guilabel:`Password`.
+
+   Instead of clicking :guilabel:`Login`, click :guilabel:`Log in as superuser`.