In business, there are different types of records. And it is essential to provide proper security for those records. In Odoo, there are also some security rules. The rules define who can access the following objects. In record rules, we describe some conditions for certain operations.
There are four access modes in the record rule:
– Create: Access for creating records
– Write: Access for writing or editing the records
– Read: Access for reading or viewing the records
– Delete: Access for deleting the records
We can create record rules from both the front end and back end.
Back end record rule creation:
For creating record rules from the back end, we can create an XML file inside the security (security >> modulename_security.xml). We can take an example from the sale_expense module.
sale_expense_security.xml
<record id="sale_order_rule_expense_user" model="ir.rule">
<field name="name">Expense Employee can read confirmed SO</field>
<field ref="sale.model_sale_order" name="model_id"/>
<field name="domain_force">[('state', '=', 'sale')]</field>
<field name="groups" eval="[(4, ref('base.group_user'))]"/>
<field name="perm_read" eval="True"/>
<field name="perm_write" eval="False"/>
<field name="perm_create" eval="False"/>
<field name="perm_unlink" eval="False"/>
<field name="active" eval="False"/> <!-- opw-2027005: this rules breaks sale "see own document" -->
</record>
Ir.rule is the model of a record rule. Here we created the record rule for the group base.group_user. The rule will apply when the state = ‘sale.’to useto thele.model_sale_order” name=”model_id”/>
Inside the ref, we give the corresponding model, i.e., a sale is the module name, and sale.order is the model name.
<field name="perm_read" eval="True"/>
<field name="perm_write" eval="False"/>
<field name="perm_create" eval="False"/>
<field name="perm_unlink" eval="False"/>
These are the access modes set for the group base.group_user. This group has only the permission to read or view the records because other permissions are false.
<field name="domain_force">[('state', '=', 'sale')]</field>
In the case of domain_force, we set the domain for the record rule. The rule will apply when it matches the record. Here when the state is ‘sale’, they only apply this rule for the group. We can give more than one domain on the domain_force.
<field name="groups" eval="[(4, ref('base.group_user'))]"/>
Here we can specify the group; the rule will apply for the corresponding groups only. In this case, the rule is for the base.group_user, which means it is for all internal users.
Front end record rule creation:
For creating record rules from the front end, first, we want to activate the debug mode, then go to Settings > Technical > Record Rules
From the above image, we can see all the record rules in our system. Now we can check how we can create a record rule from the front end. This is an example of an already existing record rule. Then we can create a new record rule from the front end.
There are different fields for creating record rules:
Name: Give Name for the record rule
Model: Record rule will be applied for this model
Active: Activate the record rule
Access Rights: There are four access rights: read, write, create and delete. All these access rights are checked by default.
Rule Definition (Domain filter): Domain for filtering the records.
Groups: If we specify the group, then the rule will apply to use for the specified groups. If we need to apply the rule globally, we don’t want to specify the groups.