About Security User Roles

Security User Roles is a tool to manage users from a role perspective not based on security rights. Simple to start, easy to maintain, and safe to administrate. 

The module allows managing the security settings in a batch. So, instead of configuring the rights of each person, you may configure roles and then assign them to several users simultaneously. 

You can assign security roles in any combination to reflect employee Odoo rights. Or leave roles empty to administrate specific users manually. 

To change the rights of multiple users it is enough to update a security role. It takes a few seconds to reflect changes in policies or in the set of installed apps. 

Security roles are managed in the same way as you do for standard Odoo users. You may even create roles based on existing users or, vice versa: a user based on a role. 

The app lets configure advanced rules to automatically add/remove role users. For example, to temporarily grant rights for a substitute employee, or block access for vacation time.

The tool works with access groups introduced by any modules: Odoo standard, third-party, or custom ones. The logic here and settings availability are the same as in configuring users.

Quickly to assign

Dynamic updates

Multiple roles per user

All modules access groups

Managing Security User Roles

The module makes it easier to assign access rights, by combining them into a particular user role, which can be further assigned to various people. This way, instead of configuring rights for each person, you may configure roles and then assign them to all related users. For example, manage rights simultaneously for 50 salespeople with similar rights. Merely configure the role 'Salesperson' and apply it to each of them. 

To create a user role: 

1. Go to General Settings 

2. Open the menu 'Security User Roles' and click 'Manage Roles'. Or, in the systray, click on the button 'Users&Companies' and then choose the option 'User Roles' 

3. Click the button 'New'

4. White the role reference

5. Choose the related users 

6. Set the access rights

7. Optionally, temporarily activate or deactivate the role for certain users in the tab 'Temporary Activation & Blocking'. 

After that, the role will be assigned to the selected users, if any, and their rights will be recalculated.

It is possible, to create a security role based on an existing user. This way you can significantly save time, in case some users are already created and their access is set. For that:

1. Go to General Settings 

2. Click 'Manage users' 

3. Open a user 

4. In the top right corner push the button 'Create Role'.

After that, the security role card with the set of the user's access rights will be opened in editing mode. You can introduce some changes before saving (that will not result in changes in the user card, which was used as a template). 

For example, we have a sales manager Abigail Peterson, who has administrative rights in purchases and projects. As we want to have two more sales managers with the same access, we have created a role 'Sales +' and assigned it to 2 other users, instead of configuring their access rights manually.

If there is a need to create a new user with a certain security group, you can also do that right from the security group card. Just click the button new user in the top right corner of the security group card. 

You can add some extra users to the security role by editing it or by assigning the role in the field 'Roles' while creating or editing a user. When the changes are saved, Odoo will automatically add the required security groups.

It is possible to add several security roles to a user. In this case, the rights from both security roles will be assigned. For example, the user Jennie Fletcher has the role 'Sales Person' assigned. The role adds a user group 'Administrator' to Sales and Project rights. If we add a security role 'KPI Special', which changes KPI Management rights, then Jennie will have the following user groups assigned: Sales: Administrator, Projects: Administrator, KPI Management: KPI Manager.

If there is another security role assigned, that adds the same right, the highest in the hierarchy right will be assigned. For example, our user Jennie Fletcher has two security groups assigned 'Sales Manager' and 'KPI Special'. They both change the same access right 'Project'. The role 'Sales Manager' changes it to a 'User' and the role 'KPI Special' changes it to 'Administrator'. The role 'Administrator' is higher in the hierarchy, so it will be assigned to the user. 

This way you can assign security roles in any combination to reflect employee Odoo rights. Or leave roles empty to administrate specific users manually.

The module doesn’t forbid changing user rights after assigning a role (since there might be users without roles). However, keep in mind that with the next role update or with assigning/removing a user role, groups of the current user will be re-calculated accordingly. So, for a user with security roles assigned, it is preferable to avoid assigning individual access groups. 

For example, if we add the role 'Sales Manager' to the user Doris Cole, tick some extra roles from the section 'Other', and then add one more role 'Purchase Manager', then the rights will be recalculated and our changes in the section 'Other' will be removed.

To change the rights of multiple users it is enough to update a security role. It takes a few seconds to reflect changes in policies or set of installed apps. For example, we have changed the access right 'Project' in the security group 'Project Manager' from 'Administrator' to 'User', so the rights in all related user cards were changed. 

This way you can save time greatly in both the initial setup of user groups and in further updating of users since you should make a change only for a role, not for each user. 

The app lets configure advanced rules to automatically add/remove role users. For example, to temporarily grant rights for a substitute employee, or block access for vacation time (see Temporary User Blocking and Activation).

Security User Roles Interfaces

The module has a convenient interface, where you can manage the existing user roles, create new ones, assign them to the users, and define advanced rules for temporarily assigning or removing user roles.

You can access the interface in two ways. For that, in General Settings, click on the option Users & Companies > User Roles in the systray. Or, in the General Settings, click on the option Security User Roles in the left part of the interface, and then click 'Manage Roles'.

There you will find the list of created user roles with the users that have those roles assigned. To find the required ones, you can use the search, filtering, and grouping options. For example, you can search the user roles by the related user, for that write a name in the search bar, and choose the searching option 'Users'.

To edit any user role, click open it and introduce the changes. 

To archive/delete the user groups select them one by one by ticking the box by the group, then click on the gear 'Actions' above and choose the option 'Archive'/'Delete'. 

You can see the assigned security roles in the extra column 'Roles' as you open the menu 'Users' in kanban view. 

The roles are highlighted with the help of different colors. To change the color of the role, click on it on the user's card and choose the color. 

If you don't want to highlight the security role with the help of the color, tick the option 'Hide in kanban'.

Some of the technical rights in Odoo can be managed only when the developer mode is turned on. For extra convenience, the module gives a possibility to see and manage these rights when managing user roles, disregarding whether the developer mode is turned on, or not. 

To see and manage the technical rights without turning on the developer mode:

1. Go to the General Settings

2. Open the menu 'Security User Roles'

3. Enable the option 'Always Show Technical Groups'

4. Click 'Save'.

Temporary User Blocking and Activation

The module allows setting up advanced rules to assign a user to a role temporarily or, to block a user for a specific period. This way, once set, there will be no need to remember to change the security role after some time. The module will do that for you. To that goal:

1. Go to General Settings > Users & Companies > User Roles

2. Open a user role

3. Go to the tab 'Temporary Activation and Blocking'

4. Click 'Add a line'

5. Choose a user

6. Choose the action 

7. Set the period

8. Optionally, click 'Add a line' to add another period for the rule

9. Click Save&Close.

When you block a user for some period, it means that he/she would not have the security role assigned for that time. During other intervals, this user would be re-assigned for this role. For example, such rules can be used for vacations and other types of time off.

When you activate a user for some intervals, it means that he/she would have the security role assigned only during those periods. At other times, such a user would not have this role and access rights. For instance, it might be essential for substitute or short-term employees.

Each rule might have a few blocking or activating periods. Then, if any of those are suitable now, the rule would take place. For example, you may assign a few vacation intervals for a single user.

Keep in mind that the rule should be unique per user, role, and period. Otherwise upon saving the warning will appear. In case you want to specify several periods of one action for the same user, add those to the same rule.

As the security role is activated/deactivated for a certain period, the list of the users on its card and the list of the roles on the user card are updated accordingly.

If the rule is active - it is marked by the lightning icon in the column 'Period', otherwise the rule is inactive and doesn't affect the user roles anymore. 

The app will periodically check the rules and will block/activate users for roles when that is assumed by the rules. You may change the frequency of checks under the menu Settings > Technical > Automation > Scheduled Jobs > the action '[Security User Roles] Activate/Block Users for Roles'.

To launch the check of a particular security role manually, you can click the button 'Refresh' in the tab  tab 'Temporary Activation and Blocking',