Odoo Security: Don’t Skip This! A Developer’s Lifesaver Guide

Imagine this: You’ve spent weeks building a custom Odoo module for your client. Everything works perfectly—until the client logs in and gets hit with an “Access Denied” error. Panic sets in. You scramble through logs, only to realize you forgot to define proper access rights. Now, critical business operations are frozen, and your client is frustrated.

This nightmare scenario is avoidable. Odoo’s security framework is powerful but unforgiving—skip it, and your module breaks. Let’s break down how to implement access rights (groups) and record rules correctly so you never face this crisis.

Why Odoo Security Can’t Be an Afterthought

Odoo controls data access through two key mechanisms:

1. Access Rights (Groups) – Defines who can do what (Create, Read, Update, Delete).
2. Record Rules – Filters which records a user can access (e.g., "Salesperson can only see their own orders").

Forgetting these is like building a house but skipping the locks. Sooner or later, someone walks in and wrecks havoc.

Step 1: Define Access Rights with ir.model.access

Every custom model must have an entry in ir.model.access (usually in security/ir.model.access.csv). Otherwise, no one can access it—not even admins!

Example Setup

id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink  
access_custom_model,my_module.custom_model,model_my_module_custom_model,base.group_user,1,1,1,0  

🔹 Breakdown:

• model_id:id – Your model’s technical name (e.g., model_my_module_custom_model).
• group_id:id – Which group gets these permissions (e.g., base.group_user for regular users).
• perm_read/write/create/unlink – 1 (allowed) or 0 (denied).

⚠️ Common Mistake: Forgetting this file leads to cryptic errors like:

AccessError: You are not allowed to access 'Custom Model' (my_module.custom_model).  

Fix: Always define ir.model.access before deploying your module.

Step 2: Restrict Access with Record Rules

Access rights define permissions, but record rules control visibility. For example:

• Salespeople should only see their own quotes.
• Managers should see everything.

How to Add a Record Rule

In security/security_rules.xml:

<record id="custom_model_own_records_rule" model="ir.rule">  
    <field name="name">Only See Your Own Records</field>  
    <field name="model_id" ref="model_my_module_custom_model"/>  
    <field name="domain_force">[('user_id', '=', user.id)]</field>  
    <field name="groups" eval="[(4, ref('sales_team.group_sale_salesman'))]"/>  
</record>  

🔹 Key Fields:

• domain_force – SQL-like filter (e.g., user_id = current user).
• groups – Who this rule applies to (e.g., salespeople).

💡 Pro Tip: Test rules in debug mode (?debug=1) to see which rules apply.

Step 3: Organize Permissions with Groups

Instead of assigning rights individually, group users by role (e.g., "HR Manager," "Invoice Clerk").

Creating a Custom Group

In security/security_groups.xml:

<record id="group_custom_manager" model="res.groups">  
    <field name="name">Custom Model Manager</field>  
    <field name="category_id" ref="base.module_category_custom"/>  
</record>  

Then, assign permissions in ir.model.access.csv:

access_custom_model,my_module.custom_model,model_my_module_custom_model,group_custom_manager,1,1,1,1  

✅ Best Practice:

• Use existing groups (e.g., base.group_user) when possible.
• Avoid giving perm_unlink (delete) unless absolutely necessary.

What Happens If You Skip Security?

🚫 Admins can’t access data (unless you manually grant rights via Settings > Technical > Security).
🚫 Users see empty lists or errors, breaking workflows.
🚫 Deployment delays—fixing security post-launch is messy.

Final Tip: Test Early, Test Often

Before deploying:

1. Log in as different users (Admin, Manager, Employee).
2. Verify CRUD operations (Can they see/edit records?).
3. Check audit logs (Settings > Technical > Logs) for access errors.

Conclusion: Security First, Panic Never

Odoo’s security model is strict for a reason—data breaches and access leaks hurt businesses. By setting up ir.model.access, record rules, and groups early, you save yourself (and your clients) from headaches.

🔒 Action Step: Open your latest Odoo module. Did you define access rights? If not, fix it now before it becomes a firefight.

Got burned by Odoo security before? Share your story below! 👇