Security

Two layers control who can do what: access rights (per model) and record rules (per row).

Access rights

A CSV grants create/read/write/delete on a model to a group:

id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
access_my_lead,my.lead,model_my_lead,base.group_user,1,1,1,1

List the CSV in your manifest's data.

Record rules

A record rule limits which rows a group can see or change, using a domain:

<record id="my_lead_own_rule" model="ir.rule">
  <field name="name">Salespeople see their own leads</field>
  <field name="model_id" ref="model_my_lead"/>
  <field name="domain_force">[('user_id', '=', user.id)]</field>
  <field name="groups" eval="[(4, ref('base.group_user'))]"/>
</record>

Groups and privileges

Define groups for your app and assign users to them. In version 19, groups use group_ids/user_ids and group categories use the res.groups.privilege model — see the ORM notes.

sudo and the environment

self.env.user is the current user; self.sudo() bypasses access checks for trusted operations. Use sudo deliberately and narrowly — never to paper over missing access rights on user-facing actions.

Don't leak across workspaces

Each workspace is its own database, so cross-tenant leakage isn't a concern within a model — but record rules still matter for separating users inside a workspace. Grant the minimum each role needs.

← Actions & menus External API →

Need a hand with this? company@everjust.co — a human answers.