+61 420 928 664

Odoo Access Control Security: ACLs, Record Rules & Multi-Company Setup

Odoo Access Control Security ACLs, Record Rules & Multi-Company Setup

Introduction to Odoo Access Control Security

When deploying Odoo in a production environment, one of the most critical aspects to manage is security. In the wrong hands, sensitive data like payroll, sales, or financial transactions can easily be exposed. That’s why Odoo’s security model is built around Access Control Lists (ACLs), Record Rules, and Multi-Company configurations.

As a DevOps engineer or ERP consultant, you’re not just concerned with features—you care about how secure, scalable, and auditable your system is. Let’s break down Odoo’s security model from a technical perspective.

Understanding Odoo’s Security Model

Core Components of Security in Odoo

Odoo’s security relies on a layered structure:

  • Users and Groups – Every user is linked to one or more groups. Groups define the baseline security.
  • Roles and Permissions – Permissions define what CRUD (Create, Read, Update, Delete) operations can be performed.

Hierarchical Security Layers

Odoo applies security at multiple levels:

  • Database-Level Security – Ensures data integrity.
  • Application-Level Security – ACLs and Record Rules manage access.
  • Business Logic RulesPython callables enforce advanced restrictions.

Access Control Lists (ACLs)

What are ACLs in Odoo?

ACLs define what type of operations a user can perform on a specific model (e.g., sale.order, hr.employee).

How ACLs Work Technically

ACLs are stored in ir.model.access.csv files or managed directly from the Odoo backend. Each line specifies:

  • Model – The database model (e.g., res.partner).
  • Group – Who the rule applies to.
  • Permissions – Create, Read, Write, Delete (binary values).

Defining CRUD Operations

For example:

id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink

access_sales_manager,sales.manager,model_sale_order,group_sales_manager,1,1,1,1

Best Practices for ACL Configuration

  • Always start with least privilege access.
  • Avoid granting delete rights unless necessary.
  • Keep ACLs modular per module.

Common Mistakes to Avoid with ACLs

  • Granting admin access to functional users.
  • Forgetting to assign ACLs after module updates.
  • Using overly broad groups.

Record Rules in Odoo

Purpose of Record Rules

Record Rules restrict which records a user can see. Unlike ACLs, which define CRUD permissions, Record Rules control record-level access.

Domain Filters Explained

Record Rules use Odoo’s domain syntax. Example:

[(‘company_id’, ‘=’, user.company_id.id)]

This ensures users only see records belonging to their company.

Technical Implementation of Record Rules

They can be created in XML:

<record id=”sale_order_rule_user” model=”ir.rule”>

    <field name=”name”>User Sales Orders</field>

    <field name=”model_id” ref=”sale.model_sale_order”/>

    <field name=”domain_force”>[(‘user_id’,’=’,user.id)]</field>

    <field name=”groups” eval=”[(4, ref(‘sales_team.group_sale_salesman’))]”/>

</record>

Debugging Record Rules

  • Use Odoo’s developer mode to analyze access errors.
  • Logs (odoo.log) provide detailed access violations.

Performance Considerations for Large Databases

Complex domain filters can slow down queries. Optimize with indexes and avoid nested domains where possible.

Multi-Company Security in Odoo

Setting Up Multi-Company Access

Multi-company allows businesses to segregate data per company while still sharing system infrastructure.

Isolation of Records Across Companies

Each record is tied to a company_id. ACLs and Record Rules ensure isolation.

Shared Resources in Multi-Company

  • Users can belong to multiple companies.
  • Resources like products may be shared across companies.

Record Rules for Multi-Company Environments

To prevent data leakage, rules like:

[(‘company_id’, ‘in’, user.company_ids.ids)]

are enforced.

Common Pitfalls in Multi-Company Security

  • Allowing unrestricted cross-company access.
  • Not testing with real multi-company data.
  • Failing to configure company_id fields in custom modules.

DevOps Perspective on Odoo Security

Security in CI/CD Pipelines

  • Integrate ACL/Record Rule testing into CI/CD.
  • Block deployments if security tests fail.

Automated Testing for ACLs & Record Rules

Using pytest-odoo or Odoo’s own testing framework, write test cases that simulate different user roles.

Monitoring & Logging Unauthorized Access

Leverage tools like Fail2ban, Grafana, or ELK stack to monitor suspicious activity.

Infrastructure Hardening in Cloud ERP for SMEs

  • Apply encryption (SSL/TLS).
  • Isolate databases per tenant.
  • Harden PostgreSQL with role-based access.

💡 Check out our previous post on “No-Code Odoo Automation: Server Actions for Smarter Workflows” to complement your security knowledge.

Advanced Security Configurations

Combining ACLs and Record Rules

ACLs answer what you can do, Record Rules answer which records you can touch. Both must be aligned.

Contextual Access Controls

Access rights can depend on context variables such as active company or active user.

Dynamic Domains with Python Callables

Use Python for dynamic access control:

[(‘user_id’, ‘=’, user.id if not user.has_group(‘sales_team.group_sale_manager’) else False)]

Enforcing Security in Custom Modules

Always define ir.model.access.csv in custom modules, never rely solely on inherited ACLs.

Case Studies & Real-World Scenarios

Securing HR Data

HR records are highly sensitive. Use strict ACLs and Record Rules to limit visibility to HR managers only.

Financial Module Access Restrictions

Accountants may access invoices, but not payroll. Fine-tuned record rules ensure compliance.

Multi-Company Retail ERP Setup

In retail, regional managers should only see their region’s sales orders. Record Rules enforce data segmentation.

Conclusion

Odoo’s security model, when properly configured, creates a layered defense against unauthorized access. With ACLs, Record Rules, and Multi-Company configurations, you can design a robust security strategy. From a DevOps perspective, automating these checks and embedding them in CI/CD pipelines ensures long-term stability and compliance.

Whether you’re running a Cloud ERP for SMEs or a large enterprise solution, remember: security is not a one-time setup, it’s a continuous process.

👉 Ready to secure your Odoo environment? Book a consultation with me today and safeguard your ERP the DevOps way!

Frequently Asked Questions

1. How do ACLs differ from Record Rules?

ACLs define what actions you can perform (CRUD), while Record Rules define which records you can access.

2. Can multi-company users share data?

Yes, but only if Record Rules and configurations allow it. By default, data is isolated.

3. How to debug ACL-related errors?

Enable developer mode, check access rights, and inspect the Odoo logs for detailed error traces.

4. Are Record Rules applied before ACLs?

No, ACLs are evaluated first. If ACLs deny access, Record Rules won’t be checked.

5. What is the best way to test Odoo security?

Automated testing with different user roles is best, supported by manual verification in staging environments.

Post Tags :

Stay Updated With Our Latest Insights

Subscribe and get early access to our newest content, special offers, and must-know tech updates.


✔️ Thanks for subscribing!