Record Rules in Odoo

Record rules are a crucial aspect of the Odoo security and restrict the visibility of records to different users based on conditions.  Assuring the security of a record is very important as records are so delicate that anyone can do modifications on them. So we need to set some record rules to control them. While creating a record, Odoo provides an advantage of what all types of accessing can be restricted.

There are mainly four modes in record rules and are as follows:

  • Create: This mode gives the access to create a record.
  • Write: This mode gives the access to modify a record or for writing into a record
  • Read: This mode gives the access to look through and read the record
  • Unlink: This mode gives the access to deleting a record.

Based on these modes, access is given to its users. This rule can be manually set up either from the back-end or from the front-end.

Setting Record Rule from Front-end:

The records can be easily created from front-end and also modify the values accordingly. At first we have to switch to debug mode.

Go to:  Settings -> Technical -> Security -> Record Rules

One can create a new record rule from here and also edit the existing ones. Various fields in the record creation form are:

•     Name:  The name of the record rule.

•     Model: The model to which we are applying the record rule.

•     Groups: This is the group for whom this record rule is set.

•     Domain: The condition for which the rule is applied.

And finally, Boolean fields depict the different access modes-read, write, create and delete.

Setting up Record Rule from backend:

Consider a school management system. Here we are going to set the record rule for tutors so that they can only access and alter the record of their corresponding students. The first step is to create an xml file under the security directory. We have to create a group for tutors.

A category is created as School Management and a tutor group is also created. Now we have to define name for record rules, its domain, and other accesses.

Here the ir.rule is the model for creating the record rules.

  • name – represents the name of the record rule
  • model_id – the model for which record rule is applied
  • domain_force – the condition for which record rule is set
  • groups – The user group for which this rule is set.

And finally the permission for different operation either by ‘True or False’ or as ‘0 or 1’

  • perm_read – for reading
  • perm_write – for editing
  • perm_create- for creating a new record
  • perm_unlink –  for deletion

We can see that the tutor is permitted to read, write and create. But no permission is given for deletion. Once finished writing the code, this file has to be added to the manifest file. After restarting the module, we can list out this record rule from odoo.

We can view the created record rule under the Record Rules. We can see that the name, model, groups, domain are shown. Also, Boolean fields show to what all modes this rule is set. We can see that Tutor Group can only read, write and create. Similarly we can create record rule for student group, manager group as needed. We can see that another record rule is created for the manager group in the same way as done for tutors.

With these record rules, we can limit the access of records to different user groups and thus protect our data from mishandling.

If you are having queries or need any assistance in Odoo, reach out to us on our website