seguridad y acceso

access groups

access groups exactly what I imagine it to be
agrupacion de usuarios donde se definen sus accesos.
Access groups control access to:

1. Database Models (e.g. Products, Sales Orders)
2. Database Rows / Records (through Record Rules) – the subject of this article.
3. Fields (not normally used)
4. Views
5. Menus
6. Windows Actions
7. Other elements (Buttons, Filters, Wizards)

types of access groups:

1. application access groups for example inventory user or Purchase Manager Administrator (Manager).
2. 'Technical settings' relate to specific functionality such as manage mutliple units of measure or analytic accounting.
3. extra rights (Multi company, multi currency)
4. other (Access to private addresses)

the Internal User (prev 'Employee') is inherited by all application access groups.

Access Control

define acceso al model completo.

que es un model? una tabla de DB.

each access controls has:

• a model
• permisions it grants. Available permissions are creation (perm_create), searching and reading (perm_read), updating existing records (perm_write) and deleting existing records (perm_unlink
• a group (optional)

access controls are additive, for a given model a user has access all permisions granted to any of its groups.

if no group is specified, the access control applies to all users, otherwise it only applies to the members of the given group

Record Rules

controlan acceso a filas especificas de un modelo. como un filtrado (?) de los rows de una tabla ?. These are applied AFTER access control.

A record rule has:

• a model on which it applies
• a set of permissions to which it applies (e.g. if perm_read is set, the rule will only be checked when reading a record)
• a set of user groups to which the rule applies, if no group is specified the rule is global
• a domain used to check whether a given record matches the rule (and is accessible) or does not (and is not accessible). The domain is evaluated with two variables in context: user is the current user’s record and time is the time module

records rules grant permission for one of all actions: Read, Write (update), Create, Delete.

Global rules and group rules (rules restricted to specific groups versus groups applying to all users) are used quite differently:

• Global rules are subtractive, they must all be matched for a record to be accessible

• Group rules are additive, if any of them matches (and all global rules match) then the record is accessible

types of record rules:

• Global rules (with no access group specified).
  • These restrict access, and cannot be bypassed by other Record Rules.
  • They are generally used for multi-company restrictions.
  • They are quite easy to understand!
• Group-specific rules (for one or more access groups – e.g. Purchase Manager)
  • These grant permission (subject to the restrictions imposed by the Global Rules).
  • If there are multiple Group-specific rules then access is granted if ANY of the conditions are satisfied.
    • This can make Group-specific rules more difficult to understand, and care needs to be taken when using them.

Group Record Rules are almost always in sets of two, one to restrict access, one to grant full access (a set of three or more rules is also possible).

domain

https://www.odoo.com/documentation/12.0/developer/reference/orm.html#reference-orm-domains