I'm new to OpenErp and I'm trying to undestand access rights writing a new module.
Let's say I have this module called Project, with title, description and a many2many relation with res.users called admin_ids, this relation represents project admins.
How can I give write rights on projects only to their admins?
Thanks in advance.
http://doc.openerp.com/trunk/developers/server/04_security/#access-rights
OpenERP 7 Access Rights for User Roles
Here are the some links which helpful to you
you have to make a group and assing this group access right to write and give this group to uses
Related
I installed odoo 12 and create a custom module
I got this message while creating a record by the normal user
Sorry, you are not allowed to access this document. Only users with the following access level are currently allowed to do that:
- Administration/Access Rights
(Document model: ir.rule) - (Operation: read, User: 6)
Please help me, to fix this
Please go through the below link.
https://medium.com/#reedrehg/becoming-a-superuser-in-odoo-12-0-f6fc2de3a62e
If you are aware of the Odoo 10 and below versions, you will understand this.
Apart from all of this add access rights for newly creating classes in Odoo on file ir.model.access.csv.
For example:
id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
access_industry_section,access_industry_section,model_industry_section,base.group_user,1,1,1,1
I have installed the Document Management Module. I have some users who represent companies, and they only belong to the knowledge group so they can view some documents. If I try this configuration, these users can view the directories, but they canĀ“t view the documents inside them. Instead of that, they get an error saying that they must be employees to view the content of the directories. I do not want them to belong to the human resources / employee group. I just want them to belong to the knowledge group. I Hope you can help me.
Thank you in advance.
You can create an access role for this.
Enable the developer mode and then -
Go to Settings > Users > Groups.
Select the group to which you want to give the access.
Go to the Access Rights Tab and then add an item into it.
Select
- object - 'ir.attachment'
- Read, Write, Create, Unlink (Check all or as per your requirement) and - - give a name to the rule (any name).
And save it.
The user belonging to that particular group will have access to the document management module.
Thanks
Shikhar S
The model ir.attachment in Odoo has some special logic for access rights. An user doesn't only need access rights to that model, but additionally need access rights to the model to which the attachments belongs.
An easy example: You have an invoice with invoice pdf as attachment. If you don't have delete rights for the invoice (maybe only read rights), you're not allowed to delete the attachment of that invoice, too.
So the only solution to your problem is to override that logic.
If you don't want user to belong to Employee group, create user as a Portal User.(Giving user access to standard apps automatically makes user belong to Employee group as most of them inherit Employee group)
Now, you have 2 options :
1) Modify Portal group to include Knowledge menu & related objects access
2) Create new group inheriting Portal group with required menu & related objects access.
Assign new user with this group access to allow accessing Documents.
In my custom module the security kind of directory and its related groups is working fine.
Then after I was created a many users for that groups.
I want from the Following things:
As a Admin, I need to give separate access rights.
As a Users, I need to give separate access rights.
In some Module
I have achieved from the front-end using groups in OpenERP 7
Is there any method to do from back-end ?
I'm trying to make the "Edit" button on the Project form to only be visible if the user logged into the system is the Project Manager of that project. I've been reading various answers online regarding this, gathering some understanding of Access Rights vs. Record Rules but I haven't been able to get this working. To my understanding, Access Rights over-ride Record Rules. So, if I create a record rule under the group "Project/User" that has read and write access with the domain as the following:
[('user_id','=',user.id)]
This will be over-ridden by the Access Rights for Project/User anyway? So How would I get this to work?
Thanks to anyone who can help.
As far as I know, Record Rules can override Access Rights.
Here is an example where record rules are used to change the base_user edit capabilities depending on the Task state: https://github.com/OCA/project-service/tree/8.0/project_baseuser/security
However, the "edit" button is not dynamically visible depending on the Task Status: it's always visible but the rules may or may not allow to write upon "Save".
Access Control List is checked before Record Rules.
Because Access Control List is a CRUD security on models (create/read/update/delete).
Only if ACL is passed next record level security comes in.
As far as I understood you want to give Project User permission to edit his own projects (he is in group Project User not Project Manager but set as Project Manager for exact Project by Project Manager group user LOL).
I did this by doing the following:
1) Give project users Project Manager role.
2) Restrict them to only modify own projects by creating a Global rule (no group is set) with the following domain on update / delete operations:
['|', ('user_id','=',user.id),('create_uid','=',user.id)]
P,S, Here is screenshot - http://awesomescreenshot.com/0083nqyf76
For the model project.project, provide the write permission only to the group project manager.Go to settings/techical/security. There you can see the access control list. CHeck what all group is provided to the project.project model.for every group other than project manager, remove the write permission
I am currently working on a project that is designed based on SQL and VB.NET. The idea as the following: there are different permissions for users. The administraotr grants each user specific permissions. The idea is illustrated as the following:
For example, user A can get the following permissions:
He is able to add new tender, modify existing tender, add new customer.
User B has the following permissions:
He is able to view existing tenders, add new employees, ... and so on.
The idea of how to implement it in SQL and VB.NET is:
Creating a new table called Permission with the following fields:
UserID (foreign key for the user ID), for each permission there will be a single field so there will be 12 field.
Now, in VB.NET there will be 12 buttons (i.e. Add new tender, Delete tender, ....). Each button will enabled and disabled based on the value of the field (if the field = 1, the button will be enabled).
Here is an example:
In this case, for this user the buttons with the red lines will be enabled and the rest will be disabled, based on his permissions.
It is obvious that this way is SILLY and is not professional to be implemented.
I need your recommendation of how to enhance it.
Thanks
Ideally you want to use an external authorization framework e.g. Microsoft's claims-based authorization or better yet, XACML - the eXtensible Access Control Markup Language.
When you use externalized authorization, all you need to write in your code (if at all) is:
"Can I enabled button foo?". That's a question you send off to the external authorization engine. If you use an engine that "runs on XACML", then you get policy-based, attribute-based access control where you could easily define that:
users that are assigned to a customer can add tenders for that customer
Check out open source solutions or vendor solutions such as Axiomatics, the vendor I work for. Also check out available resources on XACML e.g. http://en.wikipedia.org/wiki/XACML or XACML videos on YouTube.