This question has been flagged
1 Reply
26451 Views
  1. Is it possible in OpenERP ERP to have per record access control ?

For example Sales person to see ONLY leads assigned to him/her ?

Thanks.

Avatar
Discard
Best Answer

Yes. Use Recored Rule with a domain like [('salesman_id','=',user.id)]

Here is odony's detailed answer on SO for a similar questions:


OpenERP has two kinds of security restrictions that can be assigned to a user group:

  • Access Rights are CRUD yes/no flags (similar to Unix FS permissions), and allow per-model access control. They state whether members of this group may perform a Create, Read, Update, and Delete operation on any document of a certain document model (e.g. a project task). The default policy is DENY, so by default any operation will be refused if the user does not explicitly have the right to perform it via one of her groups' access rights.
  • Record Rules are filters applied on CRUD operations, and allow per-document access-control, once access right are already granted. Users will only be able to perform an operation on a given document if the document matches at least one of the record rules. The default policy is ALLOW, so if no rule exists for a given model, all documents of that model may be accessed by users who have the necessary access rights.

Both Access Rights and Record Rules may also be defined globally without assigning them to a specific group, in which case they apply to everyone. There is one pitfall for Record Rules: global rules may NOT be relaxed by other rules (on purpose!), so use with care.

In your case it looks like you should define one extra Record Rule on the Project User group that explicitly restricts access on Project Tasks to your own tasks (and presumably those that are not assigned yet). You need to create a new entry in the Security Rules menu with these parameters:

  • object/model: project.task
  • name: See own tasks only
  • domain: ['|',('user_id','=',False),('user_id','=',user.id)]
    • (means: your own tasks and unassigned ones)
  • apply for read: [x]
  • apply for write: [x]
  • apply for create: [x]
  • apply for delete: [x]
  • groups: Project / User

The domain of a record rule is a standard OpenERP domain that is evaluated on the records on which you are trying to perform the operation, and can refer to a user variable that contains the current user's data (technically, a browse_record on the current user). Look for search() in the list of ORM methods for a full description of domain.

If you want to allow special users (e.g. Project Managers) to view all tasks in the system, you can relax this rule for them by adding another rule to the Project Manager group which allows access to all tasks. There is a special "domain filter" that means "ALLOW ALL" and is useful to relax another stricter rule: [(1,'=',1)].

Note: Have a look at the existing Record Rules to see what they're doing first, and be sure to read the explanations on the Record Rule form when you are adding yours. And remember that if you do something wrong with Access Rights and Record Rules, you can always fix the mess with the admin account, as these security restrictions do not apply to the admin (similarly to the root user on Unix).


Update:

For completeness, I should add that OpenERP 7.0 added a limited field/column access control. It is all-or-nothing for now; no specific read, write or create control.

For more information on different field-level access control methods check this answer.

Avatar
Discard

Very interesting, thank you.

Record rules screens needs an intuitive setting tool that you can make the necessary tuning easier. It is quiet complicated and hard to manage.

Thanks a lot !

thanks for the answer. it can get complicated. i have to agree with ahmet altinisik.

How can i access product through customer login? what is the record rule for this? like [(1,'=',1)]

i have 2 warehouse and 2 production floor. each Production floor has it own Raw materials warehouse. so how can i restrict if storekeeper 1 or or Manufacturing user 1 not to access from warehouse 2? pls any help would be appreciated

i have 2 warehouse and 2 production floor. each Production floor has it own Raw materials warehouse. so how can i restrict if storekeeper 1 or or Manufacturing user 1 try to access the warehouse 2? pls any help would be appreciated