[IMP] general: users access rights rewrite

closes odoo/documentation#8393

X-original-commit: ae061c9041
Signed-off-by: Samuel Lieber (sali) <sali@odoo.com>
Signed-off-by: Timothy Kukulka (tiku) <tiku@odoo.com>
This commit is contained in:
tiku-odoo 2024-03-04 12:14:23 -05:00 committed by Sam Lieber (sali)
parent 2733aac1fc
commit c779852011
11 changed files with 162 additions and 45 deletions

View File

@ -1,67 +1,184 @@
=============
Access Rights
Access rights
=============
Activate the :ref:`developer mode <developer-mode>`, then go to :menuselection:`Settings --> Users &
Companies --> Groups`.
*Access rights* are permissions that determine the content and applications users can access and
edit. In Odoo, these permissions can be set for individual users or for groups of users. Limiting
permissions to only those who need them ensures that users do not modify or delete anything they
should not have access to.
Groups
======
**Only** an *administrator* can change access rights.
| When choosing the groups the user can have access under
:ref:`Access Rights <users/add-individual>`, details of the rules and inheritances of that group
are not shown, so this is when the menu *Groups* comes along. *Groups* are created to define rules
to models within an application.
| Under *Users*, have a list of the current ones. The ones with administrative rights are shown
in black.
.. danger::
Making changes to access rights can have a detrimental impact on the database. This includes
*impotent admin*, which means that no user in the database can make changes to the access rights.
For this reason, Odoo recommends contacting an Odoo Business Analyst, or our Support Team, before
making changes.
.. image:: access_rights/groups-users.png
.. tip::
A user **must** have the specific *Administration* access rights set on their user profile, in
order to make changes on another user's settings for access rights.
To access this setting, navigate to :menuselection:`Settings app --> Manage users --> select a
user --> Access Rights tab --> Administration section --> Administration field`.
Once at the setting, an already existing administrator **must** change the setting in the
:guilabel:`Administration` field to :guilabel:`Access Rights`.
Once complete, click :guilabel:`Save` to save the changes, and implement the user as an
administrator.
Users
=====
The access rights for :ref:`individual users <users/add-individual>` are set when the user is added
to the database, but they can be adjusted at any point in the user's profile.
To make changes to a user's rights, click on the desired user to edit their profile.
.. image:: access_rights/navigate-to-users-menu.png
:align: center
:alt: View of a groups form emphasizing the tab users in Odoo
:alt: Users menu in the Users & Companies section of the Settings app of Odoo.
*Inherited* means that users added to this application group are automatically added to the
following ones. In the example below, users who have access to the group *Administrator* of *Sales*
also have access to *Website/Restricted Editor* and *Sales/User: All Documents*.
On the user's profile page, in the :guilabel:`Access Rights` tab, scroll down to view the current
permissions.
.. image:: access_rights/groups-inherited.png
For each app, use the drop-down menu to select what level of permission this user should have. The
options vary for each section, yet the most common are: :guilabel:`Blank/None`, :guilabel:`User: Own
Documents`, :guilabel:`User: All Documents`, or :guilabel:`Administrator`.
The :guilabel:`Administration` field in the :guilabel:`Access Rights` tab has the following options:
:guilabel:`Settings` or :guilabel:`Access Rights`.
.. image:: access_rights/user-permissions-dropdown-menu.png
:align: center
:height: 330
:alt: View of a groups form emphasizing the tab inherited in Odoo
:alt: The Sales apps drop-down menu to set the user's level of permissions.
Create and modify groups
========================
*Groups* are app-specific sets of permissions that are used to manage common access rights for a
large amount of users. Administrators can modify the existing groups in Odoo, or create new ones to
define rules for models within an application.
To access groups, first activate Odoo's :ref:`developer mode <developer-mode>`, then go to
:menuselection:`Settings app --> Users & Companies --> Groups`.
.. image:: access_rights/click-users-and-companies.png
:align: center
:alt: Groups menu in the Users & Companies section of the Settings app of Odoo.
To create a new group from the :guilabel:`Groups` page, click :guilabel:`Create`. Then, from the
blank group form, select an :guilabel:`Application`, and complete the group form (detailed below).
To modify existing groups, click on an existing group from the list displayed on the
:guilabel:`Groups` page, and edit the contents of the form.
Enter a :guilabel:`Name` for the group and tick the checkbox next to :guilabel:`Share Group`, if
this group was created to set access rights for sharing data with some users.
.. important::
Remember to always test the settings being changed in order to ensure that they are being applied
to the needed and right users.
Always test the settings being changed to ensure they are being applied to the correct users.
The *Menus* tab is where you define which menus (models) the user can have access to.
The group form contains multiple tabs for managing all elements of the group. In each tab, click
:guilabel:`Add a line` to add a new row for users or rules, and click the :guilabel:`❌ (remove)`
icon to remove a row.
.. image:: access_rights/groups-menus.png
.. image:: access_rights/groups-form.png
:align: center
:height: 330
:alt: View of a groups form emphasizing the tab menus in Odoo
:alt: Tabs in the Groups form to modify the settings of the group.
*Access Rights* rules are the first level of rights. The field is composed of the object name, which
is the technical name given to a model. For each model, enable the following options as appropriate:
- :guilabel:`Users` tab: lists the current users in the group. Users listed in black have
administrative rights. Users without administrative access appear in blue. Click :guilabel:`Add a
line` to add users to this group.
- :guilabel:`Inherited` tab: inherited means that users added to this group are automatically added
to the groups listed on this tab. Click :guilabel:`Add a line` to add inherited groups.
- *Read*: the values of that object can be only seen by the user.
- *Write*: the values of that object can be edited by the user.
- *Create*: values for that object can be created by the user.
- *Delete*: the values of that object can be deleted by the user.
.. example::
For example, if the group *Sales/Administrator* lists the group *Website/Restricted Editor* in
its :guilabel:`Inherited` tab, then any users added to the *Sales/Administrator* group
automatically receive access to the *Website/Restricted Editor* group, as well.
.. image:: access_rights/groups-access-rights.png
:align: center
:alt: View of a groups form emphasizing the tab access rights in Odoo
- :guilabel:`Menus` tab: defines which menus/models the group can have access to. Click
:guilabel:`Add a line` to add a specific menu.
- :guilabel:`Views` tab: lists which views in Odoo the group has access to. Click :guilabel:`Add a
line` to add a view to the group.
- :guilabel:`Access Rights` tab: lists the first level of rights (models) that this group has access
rights to. Click :guilabel:`Add a line` to link access rights to this group. In this tab, the
:guilabel:`Model` column represents the common name of the menu/model, and the :guilabel:`Name`
column represents the technical name given to the model. For each model, enable the following
options as appropriate:
| As a second layer of editing and visibility rules, *Record Rules* can be formed. They overwrite,
or refine, the *Access Rights*.
| A record rule is written using a *Domain*. Domains are conditions used to filter or searching
data. Therefore, a domain expression is a list of conditions. For each rule, choose among the
following options: *Read*, *Write*, *Create* and *Delete* values.
- :guilabel:`Read`: users can see the object's existing values.
- :guilabel:`Write`: users can edit the object's existing values.
- :guilabel:`Create`: users can create new values for the object.
- :guilabel:`Delete`: users can delete values for the object.
.. image:: access_rights/groups-record-rules.png
:align: center
:alt: View of a groups form emphasizing the tab record rules in Odoo
.. tip::
First try searching for the common name of the model in the drop-down menu of the
:guilabel:`Model` column. The :guilabel:`Model` technical name can be found by expanding the
model common name, which can be done by clicking the :guilabel:`(external link)` icon.
The model technical name can also be accessed in :ref:`developer mode <developer-mode>`.
On a form, navigate to any field, and hover over the field name. A box of backend information
reveals itself with the specific Odoo :guilabel:`Object` name in the backend. This is the
technical name of the model that should be added.
.. image:: access_rights/technical-info.png
:align: center
:alt: Technical information shown on a field of a model, with object highlighted.
- :guilabel:`Record Rules`: lists the second layer of editing and visibility rights.
:guilabel:`Record Rules` overwrite, or refine, the group's access rights. Click :guilabel:`Add a
line` to add a record rule to this group. For each rule, choose values for the following options:
- :guilabel:`Apply for Read`.
- :guilabel:`Apply for Write`.
- :guilabel:`Apply for Create`.
- :guilabel:`Apply for Delete`.
.. important::
Record rules are written using a *domain*, or conditions that filter data. A domain expression
is a list of such conditions. For example:
`[('mrp_production_ids', 'in', user.partner_id.commercial_partner_id.production_ids.ids)]`
This record rule is to enable MRP consumption warnings for subcontractors.
Odoo has a library of preconfigured record rules for ease of use. Users without knowledge of
domains (and domain expressions) should consult an Odoo Business Analyst, or the Odoo Support
Team, before making changes.
Superuser mode
==============
*Superuser mode* allows the user to bypass record rules and access rights. To activate *Superuser
mode*, first, activate :ref:`developer mode <developer-mode>`. Then, navigate to the *debug* menu,
represented by a :guilabel:`🪲 (bug)` icon, located in the top banner.
Finally, towards the bottom of the menu, click :guilabel:`Become Superuser`.
.. important::
Making changes in access rights can have a big impact on the database. For this reason, we
recommend you to contact your Odoo Business Analyst or our Support Team, unless you have
knowledge about Domains in Odoo.
Only users with *Settings* access for the *Administration* section of the *Access Rights* (in
their user profile) are allowed to log in to *Superuser mode*.
.. danger::
*Superuser mode* allows for circumvention of record rules and access rights, and therefore,
should be exercised with extreme caution.
Upon exiting *Superuser mode*, users may be locked out of the database, due to changes that were
made. This can cause *impotent admin*, or an administrator without the ability to change access
rights/settings.
In this case contact Odoo Support here: `new help ticket <https://www.odoo.com/help>`_. The
support team is able to restore access using a support login.
To leave *Superuser mode*, log out of the account, by navigating to the upper-right corner, and
clicking on the :guilabel:`OdooBot` username. Then, select the :guilabel:`Log out` option.
.. tip::
An alternative way to activate *Superuser mode* is to login as a superuser. To do that, navigate
to the login screen, and enter the appropriate :guilabel:`Email` and :guilabel:`Password`.
Instead of clicking :guilabel:`Login`, click :guilabel:`Log in as superuser`.

Binary file not shown.

After

Width:  |  Height:  |  Size: 9.5 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 46 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 14 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 22 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 27 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 40 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 44 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 9.3 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 30 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 8.9 KiB