Odoo Security for Administrators: Restricting Access Even for the Highest Privileges

Introduction

In Odoo, the "Administrator / Settings" group typically enjoys unrestricted access to all data and functionalities within the system. However, there are scenarios where you might want to limit even these super-users' access to specific documents, records, or fields. This document details the methods and mechanisms Odoo provides to achieve this, focusing on record rules, security groups, and field-level security.

Scenario 1: Confidential Sales Contracts

Problem:
We needed to ensure that only the sales manager could view confidential sales contracts, even though administrators have access to all sales records by default.

Solution:

  1. Record Rule Creation: A record rule was created to filter access to the "Sales Contract" model. The domain for this rule was set to [('user_id', '=', user.id)], meaning only the record owner (the sales manager in this case) could view it.
  2. Group Assignment: This record rule was then assigned to a security group that included the sales manager but excluded users with "Administrator / Settings" rights.

Scenario 2: Protecting Financial Reports

Problem:
We wanted to prevent even administrators from editing or deleting financial reports generated by the accounting team.

Solution:

  1. Security Group Creation: A new security group called "Accounting Reports - Read Only" was created.
  2. Access Rights Configuration: In the access rights for the "Financial Report" model, this group was granted read access only (no write or delete access).
  3. 3.Group Assignment: All users with "Administrator / Settings" rights were added to the "Accounting Reports - Read Only" group. This effectively restricted their access to financial reports, overriding their default full access.

Scenario 3: Hiding Sensitive Customer Data

Problem:
We needed to hide specific fields within customer records, such as credit scores or sensitive notes, from administrators who didn't require that information.

Solution:

  1. Field-Level Security: We navigated to Settings -> Technical -> Security -> Field Access Rights.
  2. Access Configuration: We selected the "Customer" model and the fields to be restricted. The access rights for these fields were set to "Invisible" for the "Administrator / Settings" group.

Additional Considerations:

  • Record Ownership: By default, the user who creates a record is its owner and has full control over it. This can be used to restrict access to specific records even for administrators. For example, if each salesperson is the owner of the leads they create, they can be restricted from viewing leads assigned to other salespersons.
  • Custom Modules: When dealing with highly sensitive data that needs to be entirely restricted from administrators, we might need to develop a custom module with its own access control mechanisms, overriding Odoo's standard permissions.

Key Takeaways:

  • Even "Administrator / Settings" users can have their access restricted in Odoo.
  • Record rules, security groups, and field-level security are powerful tools for implementing granular access control.
  • Clear communication with administrators is essential when restricting their access to avoid confusion and frustration.
  • Regular reviews of access restrictions are necessary to keep up with evolving business requirements.

By leveraging these techniques, organizations can strike a balance between empowering administrators and safeguarding sensitive data within their Odoo systems.

Scroll to Top