Hi guys,
In this tutorial I will teach you how to create security groups, how to add specific users to these groups and how to show/hide menu’s depending on in which group the user is in. An example of the result after this tutorial:
1. Creating a model
The first thing to do is to create a model. If you already have an existing model you can skip this chapter and continue with part 2.
Still reading? Alright, let us create a new model. In this tutorial I will create a new model named ‘demo.access.rights’, with just one simple field. Create a new Python file under the ‘models’ directory and create a new model with a field:
1 2 3 4 5 6 7 |
# -*- coding: utf-8 -*- from openerp import models, fields, api class demo_access_rights(models.Model): _name = 'demo.access.rights' _rec_name = 'name' name = fields.Char('Name',required=True) |
2. Creating the security groups
Alright, now that we have a model, the next thing to do is to create the security groups with the specific rights that you would like to give to this group.
First of all open up the ir.model.access.csv file (under security/) and look at the top of the file:
When you look at this file you’ll see that there are a few columns. Let me explain them a bit into detail:
- Id: An unique identifier for the record (they should always be unique!)
- Name: This is the description that is shown in the front-end and is the name for the security group.
- model_id:id: The name of the model where you want to create a security rule for. Replace the ‘.’ by an ‘_’. If you have a model named ‘this.model’ it should become ‘this_model’ and it should always be prefixed with model_. So this would become ‘model_this_model’ in my example.
- group_id:id: An unique name of the group.
- perm_read: If this is set to 1 it means that all users that are in this group have read acces on this model. If it is set to 0 it means that the users don’t have read rights.
- perm_write: If this is set to 1 it means that all users that are in this group have write acces on this model. If it is set to 0 it means that the users don’t have write rights.
- perm_create: If this is set to 1 it means that all users that are in this group have create acces on this model. If it is set to 0 it means that the users don’t have create rights.
- perm_unlink: If this is set to 1 it means that all users that are in this group have delete acces on this model. If it is set to 0 it means that the users don’t have delete rights.
Let us start writing security groups. In my example I will create two groups: one with full rights for reading, writing, creating and deleting (admin behaviour) and one group that can only read records. Let me show you the result and I will then explain it further!
1 2 3 |
id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink demo_admin, Model admin access,model_demo_access_rights,user_access_rights_demo.group_manager,1,1,1,1 demo_user, Model user access,model_demo_access_rights,user_access_rights_demo.group_user,1,0,0,0 |
Look at those two rules for a minute and try to figure out what they do.
I’ve created two lines, which means two groups, that are both for the model ‘demo.access.rights’, where the first group has all rights on the model and the second group can only read data (look at the 1,1,1,1 and the 1,0,0,0).
Do you notice something else? There is a group_id in the field named ‘user_access_rights_demo.group_manager’ on the first line and ‘user_access_rights_demo.group_user’ on the second line. What do these two mean? Well, the first part (‘user_access_rights_demo’) is the name of the module where you are creating groups for. The second part, ‘group_manager’ will link to an XML record in which we specify the rest of the details. Add those lines to your CSV file, save it and then close it.
3. Creating the groups and selection in XML
Now that you’ve written the groups in the CSV we have the rules but in the CSV file they link to ‘group_manager’ and ‘group_user’, which we still haven’t made anywhere. So let us make them!
Create a new XML file under the ‘security’ folder so that we can write the XML side. In my example I’ve named the file ‘user_groups.xml’ as you can see here:
We now need three things:
- A group named ‘group_user’
- A group named ‘group_manager’
- A record that will link these both groups in a dropdown, in order to show it in the user his form.
Let’s start by writing a record that will show our both groups in a dropdown:
1 2 3 4 5 |
<record model="ir.module.category" id="module_management"> <field name="name">Demo module access</field> <field name="description">User access level for this module</field> <field name="sequence">3</field> </record> |
This will create an option in the user his form that has the label ‘Demo module access’ and a description ‘User access level for this module’. The sequence can be used to specify where it should come in the view. When you’re done with this part it will show this selection:
One down, two to go. We now need to create two group records (‘group_user’ and ‘group_manager’) so that the CSV can find and use these groups. The code should look like this:
1 2 3 4 5 6 7 8 9 10 11 12 |
<record id="group_user" model="res.groups"> <field name="name">User</field> <field name="implied_ids" eval="[(4, ref('base.group_user'))]"/> <field name="users" eval="[(4, ref('base.user_root'))]"/> <field name="category_id" ref="user_access_rights_demo.module_management"/> </record> <record id="group_manager" model="res.groups"> <field name="name">Manager</field> <field name="implied_ids" eval="[(4, ref('user_access_rights_demo.group_user'))]"/> <field name="category_id" ref="user_access_rights_demo.module_management"/> </record> |
Let me explain the code a bit more. The ‘name’ field will be the text that is shown to the user in the front-end.
By setting the ‘users’ field (which links to another group user) you can say that by default users that belong to the other group should be added to this specific group. For example: with users set to ‘base.user_root’ I will by default enable this value for the user. By setting the field ‘implied_ids’ on the ‘group_manager’ I’m saying that if the user has the manager rights that he should also have rights as a user (ref(‘user_access_rights_demo.group_user’) does this).
That is all! You’ve just created your own security groups and made them available on the user his form so that you can configure this for every user on his own.
4. Applying groups to views
After you’ve created your own groups and rules you’ve got a broad set of options to configure Odoo depending on the user his rights.
Let me give you an example with two menuitems that are available for one of two groups. If you do not need to know this you can skip to the conclusion (part 5), otherwise read on!
Alright, I will create two menuitems, one of them will be available to the user group and both menu’s will be available to the manager group. How would this look in XML? Like this:
1 2 3 4 5 6 7 8 |
<!-- top level menu: no parent --> <menuitem id="main_access_rights_menu" name="Access rights demo"/> <menuitem id="access_rights_menu" name="Rights demo" parent="main_access_rights_menu"/> <!-- Add the security groups here to allow only access for specific user groups! --> <menuitem id="menu_detail_access_admin_rights" action="access_rights_admin_action" parent="access_rights_menu" groups="user_access_rights_demo.group_manager"/> <menuitem id="menu_detail_access_user_rights" action="access_rights_user_action" parent="access_rights_menu" groups="user_access_rights_demo.group_user"/> |
This will create a new top menu named ‘Access rights demo’, with a menu named ‘Rights demo’, with two menuitems named ‘User records’ and ‘Admin records’, which looks like this:
By simply adding the ‘groups=’ tag on the menuitems I can specify which group can access which menuitem! It is as simple as that. When I would now create a new user with the ‘User’ rights he would only see the menuitem for the user and not the admin menu:
5. Conclusion
The security groups and security rules are not very hard to set-up but allow you a very broad range of configuration. You can specify what a user can see just by in which groups or security rules the user is in. This allows you to show or hide menuitems, fields and options with very little effort. The possibilities are endless!
Do you want to try the demo code and see the source code of this tutorial? You can view it on my Github account.
Has this tutorial helped you, do you have any feedback or questions? Post away!