Security

Odoo Multi-Company Security: Preventing Data Leaks Across Entities

Multi-company setups are one of the most misconfigured areas of Odoo. Here's how to prevent accidental data sharing between entities.

NonaGuard Admin

1 min read
a closed padlock on a black surface
Photo by Kedibone Isaac Makhumisane on Unsplash

Odoo's multi-company feature is powerful — a single database can serve multiple legal entities with separate accounting, inventory, and HR workflows. But with that power comes significant security risk. Cross-company data leaks are the most common misconfiguration we find in multi-entity Odoo setups.

How Cross-Company Leaks Happen

The most frequent causes:

  • Missing record rules: Custom modules that don't implement company_id filtering let users see data from all companies
  • Overly broad inter-company rules: The default inter-company rules in Odoo are permissive by design — they need tightening for production
  • Shared admin accounts: A user with access to all companies can export data from any entity
  • Custom reports without company filters: Reports that query account.move or sale.order without company filtering aggregate data across entities

Key Record Rules to Review

Every model that contains company-sensitive data should have a record rule with a domain like:

💡 Want to check your Odoo instance for the issues described above? NonaGuard's automated security audit covers all of these checks and more — in under 60 seconds.

['|', ('company_id', '=', False), ('company_id', 'in', company_ids)]

Best Practices for Multi-Company

  1. Audit all custom modules for company_id field presence and record rules
  2. Create separate admin users per company — no single account should have all-company access
  3. Test with real data — log in as a user from Company A and verify you cannot see Company B data
  4. Review inter-company transaction flows — ensure sales orders, invoices, and stock moves correctly separate by company

NonaGuard's permission scanner detects multi-company record rule gaps and flags users with overly broad company access. Run a free multi-company audit.

🛡️ Check Your Odoo Security Posture

NonaGuard scans for permission vulnerabilities, exposed API surfaces, missing 2FA, and 200+ other security checks. Get your security score in under 60 seconds.

Run a Free Security Scan →

Read more