About Security User Roles
Security User Roles is a tool for managing users from a role perspective, not based on security rights. It is simple to start, easy to maintain, and safe to administer.
The module allows for the management of security settings in a batch. So, instead of configuring the rights of each person, you may configure roles and then assign them to several users simultaneously.
You can assign security roles in any combination to reflect employee Odoo rights. You can also leave roles empty to manually administer specific users.
Updating a security role is enough to change the rights of multiple users. This process takes a few seconds to make policy changes or reflect the set of installed apps.
Security roles are managed in the same way as the standard Odoo users. You may even create roles based on existing users or, vice versa, a user based on a role.
The app lets you configure advanced rules to add/remove role users automatically. For example, you can temporarily grant rights to a substitute employee or block access for vacation time.
The tool works with access groups introduced by any modules: Odoo standard, third-party, or custom ones. The logic and settings available here are the same as when configuring users.
Quickly to assign
Dynamic updates
Multiple roles per user
All modules access groups
Managing Security User Roles
The module makes it easier to assign access rights by combining them into a particular user role, which can be further assigned to various people. This way, instead of configuring rights for each person, you may configure roles and assign them to all related users. For example, fifty salespeople with similar rights can be managed simultaneously. Merely configure and apply the role 'Salesperson' to each of them.
To create a user role:
1. Go to General Settings
2. Open the 'Security User Roles' menu and click 'Manage Roles'. Or, in the systray, click on the button 'Users&Companies' and then choose the option 'User Roles'
3. Click the button 'New'
4. White the role reference
5. Choose the related users
6. Set the access rights
7. Optionally, temporarily activate or deactivate specific user roles in the Temporary Activation & Blocking tab.
After that, the role will be assigned to the selected users, if any, and their rights will be recalculated.
It is possible to create a security role based on an existing user. This way, you can significantly save time if some users have already been created and their access is set. For that:
1. Go to General Settings
2. Click 'Manage users'
3. Open a user
4. Push the Create Role button in the top right corner.
After that, the security role card with the user access rights set will be opened in editing mode. You can introduce some changes before saving (that will not result in changes in the user card, which was used as a template).
For example, a sales manager, Abigail Peterson, has administrative rights in purchases and projects. Since we want two more sales managers with the same access, we have created the role 'Sales +' and assigned it to two other users instead of manually configuring their access rights.
If you need to create a new user with a particular security group, you can also do that right from the security group card. Just click the new user button in the top right corner of the security group card.
You can add some extra users to the security role by editing it or assigning the role in the 'Roles' field while creating or editing a user. Odoo will automatically add the required security groups when the changes are saved.
It is possible to add several security roles to a user. In this case, the rights from both security roles will be assigned. For example, the user Jennie Fletcher has the role 'Sales Person' assigned. The role adds a user group 'Administrator' to Sales and Project rights. If we add a security role, 'KPI Special', which changes KPI Management rights, Jennie will have the following user groups assigned: Sales: Administrator, Projects: Administrator, and KPI Management: KPI Manager.
If another security role is assigned that adds the same right, the highest in the hierarchy right will be assigned. For example, our user Jennie Fletcher has two security groups assigned 'Sales Manager' and 'KPI Special'. They both change the same access right, 'Project'. The role 'Sales Manager' changes it to a 'User', and the role 'KPI Special' changes it to 'Administrator'. The role 'Administrator' is higher in the hierarchy and will be assigned to the user.
This way, you can assign security roles in any combination to reflect employee Odoo rights. You can also leave roles empty to manually administer specific users.
The module doesn't forbid changing user rights after assigning a role (since users might be without roles). However, note that the current user groups will be recalculated accordingly with the following role update or assigning/removing a user role. So, for a user with security roles assigned, it is preferable to avoid assigning individual access groups.
For example, if we add the role 'Sales Manager' to the user Doris Cole, tick some extra roles from the section 'Other', and then add one more role, 'Purchase Manager', then the rights will be recalculated, and our changes in the section 'Other' will be removed.
To change the rights of multiple users, update a security role linked to all of those users. It takes a few seconds to reflect policy changes or a set of installed apps. For example, we changed the access right 'Project' in the security group 'Project Manager' from 'Administrator' to 'User', so the rights in all related user cards were changed.
This way, you can significantly save time for the initial setup of user groups and further updating users since you should change only a role, not each user.
When a role is assigned to a user, the system recalculates access rights but does not modify the user notification preference by default. This means the value selected in the Notification field on the user Preferences tab (either 'Handle by Emails' or 'Handle in Odoo') remains unchanged.
However, suppose one assigned role should include the option 'Receive notifications in Odoo'. In that case, the system will enforce in-Odoo notifications by automatically updating the user Notification setting to 'Handle in Odoo'. It allows administrators to ensure that members of specific roles always receive notifications inside Odoo, regardless of their personal settings.
The 'Receive notifications in Odoo' option is normally visible only in developer mode. However, it can also be accessed without developer mode if the 'Always Show Technical Groups' feature is enabled in the module’s configuration. It provides additional flexibility for managing notification behavior through roles without requiring technical access.
The app lets you configure advanced rules to add/remove role users automatically. For example, you can temporarily grant rights to a substitute employee or block access for vacation time (see Temporary User Blocking and Activation).
Security User Roles Interfaces
The module has a convenient interface where you can manage the existing user roles, create new ones, assign them to the users, and define advanced rules for temporarily assigning or removing them.
You can access the interface in two ways. In General Settings, click the option Users & Companies > User Roles in the system. Alternatively, in General Settings, click on the option Security User Roles in the left part of the interface and then click 'Manage Roles'.
There, you will find the list of created user roles with the users that have those roles assigned. You can use the search, filtering, and grouping options to find the required ones. For example, you can search the user roles by the related user, write a name in the search bar, and choose the search option 'Users'.
To edit any user role, click open it and introduce the changes.
To archive/delete the user groups, select them one by one by ticking the box by the group, then click on the gear 'Actions' above and choose the option 'Archive'/' Delete'.
The assigned security roles are shown in the extra column 'Roles' when you open the menu 'Users' in Kanban view.
The roles are highlighted in different colors. To change the color of a role, click on it on the user's card and choose a different color.
If you don't want to highlight the security role with the help of the color, tick the option 'Hide in kanban'.
Some of the technical rights in Odoo can be managed only when the developer mode is turned on. For extra convenience, the module allows you to see and manage these rights when managing user roles, disregarding whether the developer mode is turned on or not.
To see and manage the technical rights without turning on the developer mode:
1. Go to the General Settings
2. Open the menu 'Security User Roles'
3. Enable the option 'Always Show Technical Groups'
4. Click 'Save'.
Temporary User Blocking and Activation
The module allows setting up advanced rules to temporarily assign a user to a role or block a user for a specific period. This way, once set, there will be no need to remember to change the security role after some time. The module will do that for you. To that goal:
1. Go to General Settings > Users & Companies > User Roles
2. Open a user role
3. Go to the tab 'Temporary Activation and Blocking'
4. Click 'Add a line'
5. Choose a user
6. Choose the action
7. Set the period
8. Optionally, click 'Add a line' to add another period for the rule
9. Click Save&Close.
When you block a user for a period, it means he/she does not have the security role assigned for that time. During other intervals, this user is re-assigned for this role. Such rules can be used for vacations and other types of time off.
When you activate a user for some intervals, it means he/she has the security role assigned only during those periods. At other times, such a user does not have this role and access rights. For instance, it might be essential for substitute or short-term employees.
Each rule might have a few blocking or activating periods. If any of those are suitable now, the rule would be activated. For example, you may assign a few vacation intervals for a single user.
Remember that the rule should be unique per user, role, and period. Otherwise, when saving, a warning will appear. If you want to specify several periods of one action for the same user, add those to the same rule.
As the security role is activated/deactivated for a certain period, the list of users and roles on the user card are updated accordingly.
If the rule is active, it is marked by the lightning icon in the column 'Period'; otherwise, it is inactive and no longer affects the user roles.
The app periodically checks the rules and blocks/activates users for roles when the rules assume that role. You may change the frequency of checks under the menu Settings > Technical > Automation > Scheduled Jobs > the action '[Security User Roles] Activate/Block Users for Roles'.
To launch the check of a particular security role manually, click the 'Refresh' button in the 'Temporary Activation and Blocking' tab.
About Security User Roles
Security User Roles is a tool for managing users from a role perspective, not based on security rights. It is simple to start, easy to maintain, and safe to administer.
The module allows for the management of security settings in a batch. So, instead of configuring the rights of each person, you may configure roles and then assign them to several users simultaneously.
You can assign security roles in any combination to reflect employee Odoo rights. You can also leave roles empty to manually administer specific users.
Updating a security role is enough to change the rights of multiple users. This process takes a few seconds to make policy changes or reflect the set of installed apps.
Security roles are managed in the same way as the standard Odoo users. You may even create roles based on existing users or, vice versa, a user based on a role.
The app lets you configure advanced rules to add/remove role users automatically. For example, you can temporarily grant rights to a substitute employee or block access for vacation time.
The tool works with access groups introduced by any modules: Odoo standard, third-party, or custom ones. The logic and settings available here are the same as when configuring users.
Quickly to assign
Dynamic updates
Multiple roles per user
All modules access groups
Managing Security User Roles
The module makes it easier to assign access rights by combining them into a particular user role, which can be further assigned to various people. This way, instead of configuring rights for each person, you may configure roles and assign them to all related users. For example, fifty salespeople with similar rights can be managed simultaneously. Merely configure and apply the role 'Salesperson' to each of them.
To create a user role:
1. Go to General Settings
2. Open the 'Security User Roles' menu and click 'Manage Roles'. Or, in the systray, click on the button 'Users&Companies' and then choose the option 'User Roles'
3. Click the button 'New'
4. White the role reference
5. Choose the related users
6. Set the access rights
7. Optionally, temporarily activate or deactivate specific user roles in the Temporary Activation & Blocking tab.
After that, the role will be assigned to the selected users, if any, and their rights will be recalculated.
It is possible to create a security role based on an existing user. This way, you can significantly save time if some users have already been created and their access is set. For that:
1. Go to General Settings
2. Click 'Manage users'
3. Open a user
4. Push the Create Role button in the top right corner.
After that, the security role card with the user access rights set will be opened in editing mode. You can introduce some changes before saving (that will not result in changes in the user card, which was used as a template).
For example, a sales manager, Abigail Peterson, has administrative rights in purchases and projects. Since we want two more sales managers with the same access, we have created the role 'Sales +' and assigned it to two other users instead of manually configuring their access rights.
If you need to create a new user with a particular security group, you can also do that right from the security group card. Just click the new user button in the top right corner of the security group card.
You can add some extra users to the security role by editing it or assigning the role in the 'Roles' field while creating or editing a user. Odoo will automatically add the required security groups when the changes are saved.
It is possible to add several security roles to a user. In this case, the rights from both security roles will be assigned. For example, the user Jennie Fletcher has the role 'Sales Person' assigned. The role adds a user group 'Administrator' to Sales and Project rights. If we add a security role, 'KPI Special', which changes KPI Management rights, Jennie will have the following user groups assigned: Sales: Administrator, Projects: Administrator, and KPI Management: KPI Manager.
If another security role is assigned that adds the same right, the highest in the hierarchy right will be assigned. For example, our user Jennie Fletcher has two security groups assigned 'Sales Manager' and 'KPI Special'. They both change the same access right, 'Project'. The role 'Sales Manager' changes it to a 'User', and the role 'KPI Special' changes it to 'Administrator'. The role 'Administrator' is higher in the hierarchy and will be assigned to the user.
This way, you can assign security roles in any combination to reflect employee Odoo rights. You can also leave roles empty to manually administer specific users.
The module doesn't forbid changing user rights after assigning a role (since users might be without roles). However, note that the current user groups will be recalculated accordingly with the following role update or assigning/removing a user role. So, for a user with security roles assigned, it is preferable to avoid assigning individual access groups.
For example, if we add the role 'Sales Manager' to the user Doris Cole, tick some extra roles from the section 'Other', and then add one more role, 'Purchase Manager', then the rights will be recalculated, and our changes in the section 'Other' will be removed.
To change the rights of multiple users, update a security role linked to all of those users. It takes a few seconds to reflect policy changes or a set of installed apps. For example, we changed the access right 'Project' in the security group 'Project Manager' from 'Administrator' to 'User', so the rights in all related user cards were changed.
This way, you can significantly save time for the initial setup of user groups and further updating users since you should change only a role, not each user.
When a role is assigned to a user, the system recalculates access rights but does not modify the user notification preference by default. This means the value selected in the Notification field on the user Preferences tab (either 'Handle by Emails' or 'Handle in Odoo') remains unchanged.
However, suppose one assigned role should include the option 'Receive notifications in Odoo'. In that case, the system will enforce in-Odoo notifications by automatically updating the user Notification setting to 'Handle in Odoo'. It allows administrators to ensure that members of specific roles always receive notifications inside Odoo, regardless of their personal settings.
The 'Receive notifications in Odoo' option is normally visible only in developer mode. However, it can also be accessed without developer mode if the 'Always Show Technical Groups' feature is enabled in the module’s configuration. It provides additional flexibility for managing notification behavior through roles without requiring technical access.
The app lets you configure advanced rules to add/remove role users automatically. For example, you can temporarily grant rights to a substitute employee or block access for vacation time (see Temporary User Blocking and Activation).
Security User Roles Interfaces
The module has a convenient interface where you can manage the existing user roles, create new ones, assign them to the users, and define advanced rules for temporarily assigning or removing them.
You can access the interface in two ways. In General Settings, click the option Users & Companies > User Roles in the system. Alternatively, in General Settings, click on the option Security User Roles in the left part of the interface and then click 'Manage Roles'.
There, you will find the list of created user roles with the users that have those roles assigned. You can use the search, filtering, and grouping options to find the required ones. For example, you can search the user roles by the related user, write a name in the search bar, and choose the search option 'Users'.
To edit any user role, click open it and introduce the changes.
To archive/delete the user groups, select them one by one by ticking the box by the group, then click on the gear 'Actions' above and choose the option 'Archive'/' Delete'.
The assigned security roles are shown in the extra column 'Roles' when you open the menu 'Users' in Kanban view.
The roles are highlighted in different colors. To change the color of a role, click on it on the user's card and choose a different color.
If you don't want to highlight the security role with the help of the color, tick the option 'Hide in kanban'.
Some of the technical rights in Odoo can be managed only when the developer mode is turned on. For extra convenience, the module allows you to see and manage these rights when managing user roles, disregarding whether the developer mode is turned on or not.
To see and manage the technical rights without turning on the developer mode:
1. Go to the General Settings
2. Open the menu 'Security User Roles'
3. Enable the option 'Always Show Technical Groups'
4. Click 'Save'.
Temporary User Blocking and Activation
The module allows setting up advanced rules to temporarily assign a user to a role or block a user for a specific period. This way, once set, there will be no need to remember to change the security role after some time. The module will do that for you. To that goal:
1. Go to General Settings > Users & Companies > User Roles
2. Open a user role
3. Go to the tab 'Temporary Activation and Blocking'
4. Click 'Add a line'
5. Choose a user
6. Choose the action
7. Set the period
8. Optionally, click 'Add a line' to add another period for the rule
9. Click Save&Close.
When you block a user for a period, it means he/she does not have the security role assigned for that time. During other intervals, this user is re-assigned for this role. Such rules can be used for vacations and other types of time off.
When you activate a user for some intervals, it means he/she has the security role assigned only during those periods. At other times, such a user does not have this role and access rights. For instance, it might be essential for substitute or short-term employees.
Each rule might have a few blocking or activating periods. If any of those are suitable now, the rule would be activated. For example, you may assign a few vacation intervals for a single user.
Remember that the rule should be unique per user, role, and period. Otherwise, when saving, a warning will appear. If you want to specify several periods of one action for the same user, add those to the same rule.
As the security role is activated/deactivated for a certain period, the list of users and roles on the user card are updated accordingly.
If the rule is active, it is marked by the lightning icon in the column 'Period'; otherwise, it is inactive and no longer affects the user roles.
The app periodically checks the rules and blocks/activates users for roles when the rules assume that role. You may change the frequency of checks under the menu Settings > Technical > Automation > Scheduled Jobs > the action '[Security User Roles] Activate/Block Users for Roles'.
To launch the check of a particular security role manually, click the 'Refresh' button in the 'Temporary Activation and Blocking' tab.