This seems like it probably has a basic answer, but its left me baffled. Why do users (res.users) and companies (res.company) each have a many2one 'partner_id' field? From my testing it seems this corresponding partner is what is used to check access rights rather than the user/company itself. But users and companies inherit from res.partner anyway...so why do they need this separate partner object linked to them?
Can anyone tell me what I am missing here?