Granular Control: How to Use Odoo Record Rules Effectively

Record Rules Overview

Record rules are part of Odoo's complex access control system, which works in conjunction with user groups and access control lists (ACLs). While ACLs handle broad access rights such as the ability to create, read, write, and delete records, record rules govern access at a more granular level, limiting access to individual records based on dynamic criteria. These rules apply a filter to determine which records a user can interact with, providing fine-tuned control over what data is visible or editable to each user. By creating record rules, organizations may guarantee that employees only interact with data related to their employment, reducing the risk of data breaches or unauthorized acts.

For example, in a multi-departmental organization, record rules could be used to limit sales staff' access to only their own sales orders while enabling supervisors to view all orders. Similarly, in HR, individuals may be limited to viewing their personal information, whereas the HR manager gets complete access to all employee data. These real-world examples highlight the vital role of record rules in safeguarding sensitive information and ensuring adherence to corporate regulations.

Access Control Framework in Odoo

Odoo's access control framework is intended to provide strong security by limiting what users can see and do in the system. This framework defines and restricts access to data and functionality using a number of critical components, including users, user groups, access control lists (ACLs), and record rules. Each of these components plays a distinct role in ensuring that users only interact with data they are authorized to access, which is crucial for maintaining the integrity and confidentiality of sensitive business information.

1. Users: Each individual who interacts with Odoo is assigned a user account. This account defines the data and functionality the user can access based on the permissions assigned to their role within the company.
2. User Groups: Odoo uses groups to categorize users based on their roles, such as "Sales Manager," "HR Officer," or "Employee." These groups are assigned specific access rights, and users inherit the permissions of the groups they belong to.
3. Access Control Lists (ACLs): ACLs are the foundation of Odoo’s permission system. They define access permissions, which specify whether users can create, read, write, or remove records in a given model. For example, a sales user may be given read and write access to sales orders but not delete access. ACLs function at the model level, which means they control access to the entire dataset without filtering individual items depending on constraints.
4. Record Rules: Record rules are used when ACLs are insufficient to offer fine-grained access control. While ACLs control board operations throughout the entire model, record rules restrict which records a user can see or alter depending on specified criteria. Record rules are applied dynamically, allowing Odoo to validate each record against the conditions specified in the rule before providing access. This level of screening is what makes record rules so effective.

How Record Rules Fit In

Record rules are a more granular layer of access control that complements ACLs. While ACLs govern broad permissions on the entire dataset (e.g., whether a user can create or read records of a specific model), record rules filter which specific records within that model a user can access.

For example:

• An ACL may grant all employees the authority to read personnel records.
• A record rule could then restrict each employee to only reading their own personal record, based on a condition like the user’s employee ID.

This filtering is especially useful in complex corporate situations where employees require access to specific data inside a model but not all of it. Without record rules, ACLs would either provide too much or insufficient access.

Structure of a Record Rule

In Odoo, a record rule is essentially a filter applied to a dataset that determines which records a user can access based on specific conditions. It uses domain filters, conditions, and permissions to control record-level access. These rules apply to a variety of models (e.g., sales orders, invoices, and personnel records) and limit visibility and actions on a record-specific basis.

The structure of a record rule consists of several components:

• Domain: The primary condition for filtering records. A domain specifies the criteria for which records a user may access. For example, a record rule can be used to ensure that a user only sees sales orders attributed to them.
• Permissions: Users can take actions on filtered records, such as reading, writing, creating, or deleting them.
• Execution: Odoo automatically executes record rules whenever a user wants to view or alter data. If the record meets the requirement stated in the rule's domain, the user will be permitted access to it according to the rule's permissions.

Key Fields in Record Rules

Record rules are defined through several key fields, each serving a specific purpose in determining how the rule operates. These fields are:

• Name: A descriptive name for the record rule that helps users understand its purpose (e.g., "Only Sales Orders of Current User").

• Model ID: Determines the model to which the record rule applies. If you want to control access to sales orders, you can apply a rule on the "sales.order" model.

• Domain: This field contains the actual condition or filter, as expressed in Odoo's domain filter syntax. The domain specifies which entries are displayed to the user and can be modified. For example, ['|', ('user_id', '=', user.id), ('state', '=', 'draft')] enables users to view entries if they are the assigned user or the order is in draft status.

• Perm_read, Perm_write, Perm_create, Perm_unlink: These boolean parameters specify which actions (read, write, create, and delete) the rule will apply to. For example, setting Perm_read to True indicates that the rule controls read access to records. If this is False, then the rule has no effect on read permissions.

• Groups: A record rule can be restricted to specific user groups. For example, a rule may only apply to people in the "Sales Manager" group, ensuring that the rule's requirements are exclusive to that group.

How They Work

Record rules function by applying a filter (specified in the domain) to every interaction a user has with an Odoo model. The system checks the record rule's conditions to see if the user has access to each particular record. If the record matches the domain's conditions, the user is granted access based on the permissions specified (read, write, create, delete). If the prerequisites are not met, the record becomes hidden or inaccessible to the user.

For example, if a rule applies to the sale.order model with the domain ['|', ('user_id', '=', user.id), ('state', '=', 'draft')], Odoo will check if the user is either the assigned sales rep or if the sales order is in a draft state. If either condition is true, the user will be able to see that sales order.

Syntax of a Record Rule

[('field_name', 'operator', 'value')]

Field Name: The model field on which the condition is based.

Operator: The comparison operator (e.g., =, !=, >, <, in, etc.).

Value: The value against which the field is compared.

Examples of Common Record Rules

Odoo's record rules provide for granular control over data access depending on real-world scenarios. Businesses can assure data security, internal policy compliance, and operational efficiency by putting in place proper standards. The following are three popular use case situations that show how record rules may be used to manage access in a realistic manner.

Example 1: Restricting access to Records Based on the user's department

Use case: In a large corporation, the HR department may want to limit employees' access to records specific to their department. For example, HR personnel should not have access to employee records from other departments, yet HR managers may require access to all records.

• Model: hr.employee
• Objective: Allow HR users to view only the records of employees in their own department.
• Domain: [('department_id', '=', user.department_id)]

Steps to set up:

1. Navigate to the Settings app and enable Developer Mode.
2. Go to Settings > Technical > Security > Record Rules.
3. Click Create to define a new rule:

• Name: "View Employee Records by Department"
• Model: hr.employee
• Domain: ['department_id', '=', user.department_id]
• Permissions: Enable read permission to allow users to view records.

Assign this rule to the appropriate User Group (e.g., "HR Officer").

Save the rule.

This record rule ensures that HR personnel can only view records for employees from the same department. HR managers or higher-level users can have a separate rule that allows them to access all records.

Example 2: Allowing users to see only the sales orders they are responsible for

Use case: In a sales company, each sales rep should only see sales orders they are responsible for, while sales managers may need access to all sales orders.

• Model: sale.order
• Objective: Allow each sales rep to view only the orders where they are the assigned user.
• Domain: [('user_id', '=', user.id)]

Steps to set up:

1. Go to Settings > Technical > Security > Record Rules.
2. Click Create to define a new rule:

• Name: "View Own Sales Orders"
• Model: sale.order
• Domain: ['user_id', '=', user.id]
• Permissions: Enable read permission to allow users to view their own sales orders.

Assign this rule to the "Salesperson" User Group.

Save the rule.

This rule limits each salesperson to just seeing their own sales orders, enhancing data privacy and ensuring that they do not have access to orders managed by others. If necessary, a separate rule can be developed for sales managers, granting them access to all sales orders by leaving the domain field blank or applying a larger filter.

Managing Record Rules From the UI and Code

Odoo allows you to manage record rules both through the user interface (UI) and through code. This flexibility allows administrators and developers to regulate how data access is blocked or permitted based on the individual use case. The following is a step-by-step approach to establishing and managing record rules via the UI, as well as defining custom rules in code using Odoo's ORM (Object Relational Mapping).

Creating Record Rules from the User Interface

Managing record rules through the UI is simple and does not require coding expertise. This method is commonly used by administrators to quickly configure data access controls.

Steps for creating record rules via the Odoo Backend UI:

1. Enable Developer Mode:

• Navigate to the Settings app.
• Scroll down and check the box that says Activate Developer Mode (or use the debug URL by appending ?debug=1 to your URL).

• In Developer Mode, go to Settings > Technical > Security > Record Rules.
• Here, you can see a list of all existing record rules. You can filter by model or search for specific rules using the search bar.

• Click the Create button to define a new record rule.
• Fill in the following fields:
• Name: A descriptive name for the rule (e.g., "Limit HR Records by Department").
• Model: Choose the model for which the record rule applies (e.g., hr.employee, sale.order, etc.).
• Domain: Define the domain filter that limits which records the user can see. This should be written in Odoo’s domain syntax (e.g., ['department_id', '=', user.department_id]).
• Permissions: Check the boxes for the permissions the rule should control: Read, Write, Create, or Delete.
• Groups: (Optional) You can apply the rule to a specific user group. For example, assign it to the HR Officer group or Sales Manager group.

• Once the rule has been defined, click Save.
• Test the rule by logging in as a member of the assigned group to check it works properly. You may change or adjust the rule as needed.

Editing or managing existing Record Rules:

• To adjust an existing record rule, visit Settings > Technical > Security > Record Rules and select the rule you want to change.
• You can edit the domain, change the rights, or modify the associated groups as needed.
• To delete or deactivate a record rule, select it and then click the delete button or toggle the active state.

Custom Record Rules in Code

For more sophisticated requirements or when constructing custom modules, Odoo's ORM (Object Relational Mapping) can be used to programmatically specify record rules. This method is more robust and provides better version control for your record rules, as they can be monitored in your code repository.

Writing Record Rules in python for custom modules:

Odoo's XML and Python frameworks enable developers to define record rules directly in custom module Python files. Record rules are usually generated as part of a module's data files.

Here’s how to create a record rule in code:

1. Define Record Rules in XML: To add a record rule in your custom module, create a new XML file (usually named security/ir.model.access.csv or security/record_rules.xml) and define your rules like this:

<record id="rule_hr_employee_department" model="ir.rule">
<field name="name">Employee Records: Limit to Own Department</field>
    <field name="model_id" ref="hr.model_hr_employee"/>
    <field name="domain_force">[('department_id', '=', user.department_id)]</field>
    <field name="groups" eval="[(4, ref('hr.group_hr_user'))]"/>
    <field name="perm_read" eval="True"/>
    <field name="perm_write" eval="False"/>
    <field name="perm_create" eval="False"/>
    <field name="perm_unlink" eval="False"/>
</record>

Name: A clear name that describes what the rule does.

Model ID: Refers to the model (hr.employee) this rule applies to.

Domain Force: The domain filter to apply. In this case, it limits users to seeing records from their own department.

Groups: Specifies the user group this rule applies to (e.g., hr.group_hr_user).

Permissions: Specifies what actions are allowed (read, write, create, delete). For example, in the above rule, users can only read records, but they cannot edit, create, or delete them.

2. Load the Record Rule in your module: To apply the rule, make sure the XML file is loaded in your module. This is done by including the file in your module's __manifest__.py file:

{
    'name': 'My Custom Module',
    'version': '1.0',
    'category': 'HR',
    'depends': ['base', 'hr'],
    'data': [
        'security/record_rules.xml',
    ],
}

3. Update your module: After you have uploaded the XML file and modified the manifest, install or upgrade your module in Odoo. The record rules will be used when the module is installed or modified.

You can also dynamically change the domain logic in Odoo models using Python, however the typical technique is to use XML, as illustrated above. However, sophisticated coders can use Python to dynamically alter access and filtering as needed. For example:

class SaleOrder(models.Model):
   _inherit = 'sale.order'

    def _restrict_order_access(self):
        if not self.env.user.has_group('sales_team.group_sale_manager'):
            return [('user_id', '=', self.env.user.id)]
        return []

In this example, the _restrict_order_access method limits sales order access based on the user's group. However, this approach is more widely used in business logic than for security, where XML-based record rules are preferred.