Mastering the Odoo Permissions Audit: A Step-by-Step Guide

Why Your Odoo Permissions Audit Can't Wait

Last month, a new client discovered their entire sales team could view and modify sensitive financial data, including executive salaries. The cause? A single, misconfigured user group from a custom module installation. This isn't a rare oversight; it's a ticking time bomb in many Odoo instances. An Odoo permissions audit is not just a technical task—it's a critical business process for safeguarding your data integrity, ensuring regulatory compliance, and preventing internal fraud.

Many businesses overlook the complexity of Odoo's security model, assuming default settings are sufficient. However, as you add users, install custom apps, and evolve your business processes, permission gaps inevitably appear. These gaps can lead to catastrophic data breaches, operational chaos from accidental data deletion, and significant compliance failures.

This comprehensive guide will walk you through everything you need to conduct a thorough Odoo permissions audit. We'll dissect the core components of Odoo security, provide a step-by-step manual audit process, highlight common mistakes, and show you how to maintain a secure environment long-term.

The Core Components of Odoo's Security Model

Before you can audit permissions, you must understand the building blocks of Odoo's security architecture. It's a layered system primarily built on three concepts: User Groups, Access Control Lists (ACLs), and Record Rules.

1. User Groups (res.groups)

Groups are the foundation. Instead of assigning permissions to individual users, Odoo assigns users to groups, and permissions are attached to those groups. This makes management scalable. A user can belong to multiple groups, and their total permissions are the sum of all permissions from all their groups. Groups often correspond to job roles (e.g., 'Sales / Manager', 'Accounting / Accountant') and can inherit permissions from other groups, creating a powerful but potentially complex hierarchy.

2. Access Control Lists (ACLs - ir.model.access)

ACLs are the gatekeepers for your data models (the underlying database tables for things like Sales Orders, Invoices, or Contacts). For each group, an ACL defines what actions they can perform on an entire model. There are four basic permissions:

• Read: The ability to view records in the model.
• Write: The ability to edit existing records.
• Create: The ability to create new records.
• Unlink (Delete): The ability to delete records.

If a user's groups do not grant them at least 'Read' access on a model, they won't even see the menu item for it. ACLs are defined in CSV files within a module, typically at security/ir.model.access.csv.

# Example from ir.model.access.csv
"access_sale_order_line_group_manager","sale.order.line_group_manager","model_sale_order_line","sales_team.group_sale_manager","1","1","1","1"

This line grants full CRUD (Create, Read, Update, Delete) access on the sale.order.line model to any user in the sales_team.group_sale_manager group.

3. Record Rules (ir.rule)

While ACLs control access to an entire model, Record Rules provide fine-grained, row-level security. They filter the records a user can see or interact with based on specific criteria. This is arguably the most powerful—and most frequently misconfigured—part of Odoo security.

A Record Rule applies a domain filter to data queries. For example, a rule can be set so that salespeople can only see leads or sales orders assigned to them. These rules are defined in XML files, often in a module's security/security.xml file.

<!-- Example of a Record Rule in XML -->
<record id="sale_order_personal_rule" model="ir.rule">
 <field name="name">Personal Sales Orders</field>
 <field name="model_id" ref="model_sale_order"/>
 <field name="groups" eval="[(4, ref('sales_team.group_sale_salesman'))]"/>
 <field name="domain_force">[('user_id','=',user.id)]</field>
</record>

This rule ensures that users in the 'Sales / Salesperson' group can only access sales orders where the 'Salesperson' field (user_id) is set to themselves.

A Step-by-Step Guide to Your Manual Odoo Permissions Audit

A manual audit is an essential exercise to understand your security posture. It's time-consuming but reveals the ground truth of who can do what in your system. Activate Developer Mode to access the necessary technical menus.

Step 1: Review High-Privilege Groups

Start with the most powerful groups. Navigate to Settings > Users & Companies > Groups. Filter for groups that grant administrative or technical access, such as 'Administration / Settings' or any group with 'Manager' or 'Administrator' in the name. Carefully examine the 'Users' tab for each one. Does every user listed truly require that level of access? This is often where the most critical risks are found.

Step 2: Audit User-to-Group Mappings

Instead of looking at groups, now look at users. Go to Settings > Users & Companies > Users. Open each active user's record and review the list of groups they belong to in the 'Access Rights' tab. Apply the Principle of Least Privilege (PoLP): does this user need every single one of these permissions to perform their daily tasks? Remove any that are unnecessary.

Step 3: Analyze Global Access Control Lists (ACLs)

The most dangerous ACLs are those that are not restricted to any group, effectively granting access to everyone. Navigate to Settings > Technical > Security > Access Rights. In the search bar, filter by 'Group' and select 'is not set'. Any records that appear are globally accessible. This is a red flag, especially for sensitive models like `hr.employee` or `account.move`. Every model should have its access explicitly defined for specific groups.

Step 4: Scrutinize Record Rules

Go to Settings > Technical > Security > Record Rules. Review each rule, paying close attention to the 'Domain Filter' (domain_force). Look for rules that are too permissive or rules that conflict. For example, two rules on the same model for the same group can have unintended consequences. One might restrict access, but another might grant it, and Odoo's logic for combining them can be complex. Test the effect of these rules by logging in as a user affected by them.

Step 5: Query the Database Directly (Advanced)

For a deeper analysis, you can query the Odoo database. This allows you to quickly find specific permission sets. For example, to find all users with 'Settings' access, you can run a SQL query:

SELECT u.login
FROM res_users u
JOIN res_groups_users_rel r ON u.id = r.uid
JOIN res_groups g ON r.gid = g.id
WHERE g.full_name = 'Administration / Settings' AND u.active = true;

This provides an undeniable list that you can cross-reference with your HR records.

Common Mistakes to Watch Out For

During hundreds of audits, we've seen the same critical mistakes repeatedly. Here are the most common ones to avoid:

1. The Over-Privileged 'Super User'

A user needs to import one file, so you temporarily grant them 'Administrator' rights. The import works, but you forget to revoke the permissions. This user now has the keys to the kingdom indefinitely. Always have a process for temporary privilege escalation with a mandatory revocation step.

2. Neglecting Custom Module Security

Developers, focused on functionality, often forget to add proper security files (`ir.model.access.csv` and `security.xml`) to new custom modules. This leaves new data models completely unprotected and accessible to all users. Every new module must have its security rules defined and tested as part of the development lifecycle.

3. Ignoring Group Inheritance

You add a user to the 'Project Manager' group, not realizing it inherits from 'User: All Documents', which grants broad access across the system. Always check the 'Inherited' tab on a group's form to understand the full scope of permissions you are granting. This cascading effect is a primary source of unintentional data exposure.

4. Stale User Accounts and Offboarding Failures

An employee leaves the company, but their Odoo account remains active. This is a major security risk. Your HR offboarding process must include a step to immediately deactivate the user's Odoo account. Don't just remove them from groups; deactivate the user entirely.

Tools and Techniques for an Efficient Audit

While a manual audit is insightful, it's not scalable or repeatable. For continuous security, you need better tools and processes.

Odoo's built-in tools, found under the Technical menu, are a starting point. The 'Developer Mode' provides some contextual information, but it requires deep expertise to interpret correctly. For a more robust and efficient Odoo permissions audit, automated tools are the answer. Platforms like NonaGuard connect directly to your Odoo instance and perform a comprehensive scan in minutes. They compare your configuration against security best practices, flagging issues like:

• Users with excessive administrative rights.
• Models without any access controls.
• Overly permissive record rules.
• Inactive users who still have active accounts.

This transforms your audit from a weeks-long manual project into a simple, repeatable health check.

Beyond the Audit: Maintaining a Secure Odoo Environment

An audit is a snapshot in time. True security comes from building robust processes.

1. Establish a Permissions Policy: Document your company's policy for assigning permissions. Define roles and the specific groups associated with them. All new user requests should go through a formal approval process based on this policy.
2. Schedule Regular Reviews: Make the permissions audit a recurring event on your calendar. A quarterly review for all users and a more frequent check after any new module installation or major update is a good practice.
3. Integrate with HR Processes: Your user management lifecycle should be tied directly to your HR department. New hires get accounts based on their documented role, and departing employees have their accounts deactivated on their last day, without exception.
4. Implement Continuous Monitoring: The best way to stay secure is to get notified the moment a risky change happens. Automated tools can provide real-time alerts when a user is granted admin rights or a new module is installed without security rules, allowing you to act immediately.

Conclusion

Odoo's security model is powerful and flexible, but its complexity is its double-edged sword. A misconfiguration can silently expose your most sensitive data. By understanding the core components, following a structured audit process, and avoiding common pitfalls, you can take control of your Odoo security. While a manual audit is a valuable first step, the key to long-term data integrity and peace of mind is to embed security into your operations and leverage automation to monitor your system continuously. Don't wait for a data breach to make security a priority.

Ready to see how your system measures up? Run a free Odoo security scan to get an instant report on your permissions and other potential vulnerabilities.