About Security User Roles


Security User Roles is a tool to manage users from a role perspective not based on security rights. Simple to start, easy to maintain, and safe to administrate. 

The module allows managing the security settings in a batch. So, instead of configuring the rights of each person, you may configure roles and then assign them to a number of users. 

You can assign security roles in any combination to reflect employee Odoo rights. Or leave roles empty to administrate very specific users manually. 

To change the rights of multiple users it is enough to update a security role. It takes a few seconds to reflect changes in policies or in the set of installed apps. 

Security roles are managed absolutely in the same way as you do for standard Odoo users. You may even create roles based on existing users or, vice versa: a user based on a role. 

The app lets configure advanced rules to automatically add/remove users to a role. For example, to temporarily grant rights for a substitute employee, or block access for vacation time.

The tool works with access groups introduced by any modules: Odoo standard, third-party, or custom ones. The logic here and settings availability are the same as in configuring users.

Quickly to assign

Dynamic updates

Multiple roles per user

All modules access groups

 
 




Managing Security User Roles


The module makes it easier to assign access rights, by combining them into a particular user role, which can be further assigned to various people. This way, instead of configuring rights for each person, you may configure roles and then assign them to all related users. For example, it might be useful if you have 50 salespeople with similar rights. So, you can configure the role 'Salesperson' and simply apply it to each of them. 

To create a user role: 

1. Go to General Settings 

2. Click on the button 'Users&Companies' in the systray and then choose the option 'User Roles'

3. Click the button 'New'

4. White the role reference

5. Choose the related users 

6. Set the access rights

7. Optionally, temporarily activate or deactivate the role for certain users in the tab 'Temporary Activation & Blocking'. 

After that, the role will be assigned to the selected users, if any, and their rights will be recalculated.


It is possible, to create a security role based on an existing user. This way you can significantly save time, in case some of the users are already created and their access is set. For that:

1. Go to General Settings 

2. Click 'Manage users' 

3. Open a user 

4. In the top right corner click on the button 'Create Role'.

After that, the security role card with the set of the user's access rights will be opened in editing mode. You can introduce some changes before saving and that will not result in changes in the user card, which was used as a template. 

For example, we have a sales manager Abigail Peterson that have administrative rights in purchases and projects as well. As we want to have two more sales managers with the same access, we create a role 'Sales +' and assigned it to 2 other users, instead of configuring their access rights manually.

In case, there is a need to create a new user with a certain security group, you can also do that right from the security group card. Just click the button new user in the top right corner of the security group card. 

You can add some extra users to the security role by editing it, or by assigning the role in the field 'Roles' while creating or editing a user. As the changes are saved, Odoo would automatically add the required security groups.

If some of the users should have additional roles you can assign some more user groups to them. For example, if we add a security role 'KPI Manager' to the user with the role 'Project Assistant' assigned, then the KPI Management role of the user changes to KPI Manager while the access related to other security roles is left the same.


If there is another security role assigned, that adds the same right, the highest in the hierarchy right will be assigned. For example, our user Sharlene Rhodes has two security groups assigned 'Sales Manager' and 'KPI Special'. They both change the same access right 'Project'. The role 'Sales Manager' changes it to a 'User' and the role 'KPI Special' changes it to 'Administrator'. The role 'Administrator' is higher in the hierarchy, so it will be assigned to the user. 

This way you can assign security roles in any combination to reflect employee Odoo rights. Or leave roles empty to administrate very specific users manually.


The module doesn’t forbid changing user rights after assigning a role (since there might be users without roles). However, keep in mind that with the next role update or with assigning/removing a user role, groups of the current user will be re-calculated accordingly. So, for a user with security roles assigned, it is preferable to avoid assigning individual access groups. 

For example, if we add the role 'Sales Manager' to the user Doris Cole, tick some extra roles from the section 'Other' and then add one more role 'Purchase Manager', then the rights will be recalculated and our changes in the section 'Other' will be removed.


To change the rights of multiple users it is enough to update a security role. It takes a few seconds to reflect changes in policies or in the set of installed apps. For example, we have changed the access right 'Project' in the security group 'Project Manager' from 'Administrator' to 'User', so the rights in all related user cards were changed. 

This way you can save time greatly in both the initial setup of user groups and in further updating of users since you should make a change only for a role, not for each user. 


The app lets configure advanced rules to automatically add/remove users to a role. For example, to temporarily grant rights for a substitute employee, or block access for vacation time (see Temporary User Blocking and Activation).



Security User Roles Interfaces


The module has a convenient interface, where you can manage the existing user roles, create new ones, assign them to the users and define advanced rules for temporarily assigning or removing roles to users. 

To open the interface, go to General Settings and click on the option Users & Companies > User Roles in the systray. 

There you will find the list of created user roles with the users that have those roles assigned. To find the required ones quickly, you can use the search, filtering, and grouping options. For example, you can search the user roles by the related user, for that write a name in the searchbar and choose the searching option 'Users'.

To edit any user role, just click open it and introduce the changes. 

To archive/delete the user groups just select them one by one by ticking the box by the group, then click on the gear 'Actions' above and choose the option 'Archive'/'Delete'. 


You can see the assigned security roles in the extra column 'Roles' as you open the menu 'Users' in the kanban view. 

The roles are highlighted with the help of different colors. To change the color of the role just click on it on the user's card and choose the color. 

In case you don't want to highlight the security role with the help of the color, tick the option 'Hide in kanban'.




Temporary User Blocking and Activation


The module allows setting up advanced rules to assign a user to a role temporarily or, to block a user for a specific period. This way, once set, there will be no need to remember to change the security role after some time. The module will do that for you. To that goal:

1. Go to General Settings > Users & Companies > User Roles

2. Open a user role

3. Go to the tab 'Temporary Activation and Blocking'

4. Click 'Add a line'

5. Choose a user

6. Choose the action 

7. Set the period of time

8. Optionally, click 'Add a line' to add another period of time for the rule

9. Click Save&Close.

When you block a user for some period, it means that he/she would not have the security role assigned for that time. During other intervals, this user would be re-assigned for this role. For example, such rules can be used for vacations and other types of time off.

When you activate a user for some intervals, it means that he/she would have the security role assigned only during those periods. At other times, such a user would not have this role and access rights. For instance, it might be essential for substitute or short-term employees.

Each rule might have a few blocking or activating periods. Then, if any of those are suitable now, the rule would take place. For example, you may assign a few vacation intervals for a single user.

Keep in mind that the rule should be unique per user and role, otherwise upon saving the warning will appear. In case you want to specify several periods of one action for the same user, add those to the same rule.


As the security role is activated/deactivated for a certain period, the list of the users on its card and the list of the roles on the user card are updated accordingly.

If the rule is active - it is marked by the lightning icon in the column 'Period', otherwise the rule is inactive and doesn't affect the user roles anymore. 


The app will periodically check the rules and will block/activate users for roles when that is assumed by the rules. You may change the frequency of checks under the menu Settings > Technical > Automation > Scheduled Jobs > the action '[Security User Roles] Activate/Block Users for Roles'.

To launch the check of a particular security role manually, you can click the button 'Refresh' in the tab  tab 'Temporary Activation and Blocking',