A build-to-order Odoo accounting-security module that limits which journals each user can post, view, and reconcile — so sales, purchase, bank, and cash entries stay walled off by role. ECOSIRE scopes, builds, installs, and supports it on your Odoo 17, 18, or 19. Built to order by ECOSIRE for Odoo 17, 18, 19 — indicative price from $249.00 USD; request a quote for a scoped proposal.
App manifest
Built around your workflow
A build-to-order Odoo accounting-security module that limits which journals each user can post, view, and reconcile — so sales, purchase, bank, and cash entries stay walled off by role. ECOSIRE scopes, builds, installs, and supports it on your Odoo 17, 18, or 19.
No DIY setup — a working app, built, installed and supported by ECOSIRE.
Start with a one-time build price. We scope it with you at kickoff.
ECOSIRE builds, configures and installs it on your Odoo.
You go live in about 2–4 weeks, with a post-launch support window.
In a growing finance team, everyone with accounting rights can see and post to every journal. A junior AR clerk can raise vendor bills against the bank journal; a purchasing user can open sensitive payroll or intercompany entries; a branch bookkeeper can reconcile a bank they should never touch. Odoo's out-of-the-box accounting security is coarse — the account.group_account_user and account.group_account_manager groups grant near-blanket access to account.move and account.journal, and there is no native "this person may only work in these journals" control per user. Once entry volume and headcount grow, that gap becomes an audit finding and a fraud surface, not just an inconvenience.
We build a dedicated journal-restriction layer on top of Odoo's own security model rather than bolting on a fragile UI filter. The core is a many-to-many link between res.users (or a configurable account.security.role you assign to users) and account.journal, enforced by ir.rule record rules on account.move, account.move.line, account.payment, and account.bank.statement. Because the restriction is evaluated by the ORM inside record rules, it holds everywhere — form and list views, the reconciliation widget, the invoicing dashboards, XML-RPC/JSON-RPC API calls, scheduled/automated actions, and QWeb reports alike — not just on the screens we happened to patch. A restricted user simply never sees a document in a journal they aren't entitled to, and cannot post one there either.
Technically, the module ships as a proper Odoo addon: a versioned __manifest__.py declaring dependencies on account, security defined in ir.model.access.csv plus data-file ir.rule records, a small model layer (models.Model with the journal-access fields and a compute/@api.depends helper that resolves a user's effective journal set from their roles), and OWL/XML views to manage the mappings from Settings. We add a check_journal_access() guard invoked on create/write of account.move so a blocked write fails loudly with a clear AccessError rather than silently, and an optional automated action that alerts an administrator when access is denied. We honor mail.thread audit logging on the access-role model so every change to who-can-touch-what is tracked. Multi-company deployments get company-aware rules that intersect journal access with the user's allowed companies; Community and Enterprise are both supported, with Enterprise-only touches (like the accounting dashboard) handled when present.
Delivery is build-to-order: you request a quotation, we run a short scoping call to confirm your journals, roles, company structure, and edge cases (default journals on sales/purchase, POS and bank feeds, existing custom security), then we build, test on a staging copy, and install on your Odoo. Typical delivery is 2–4 weeks from confirmed scope. Pricing starts from $249 (indicative, single-company base scope); multi-company intersection rules, deeper localization, integration with existing custom accounting security, and data migration of historical assignments increase the quoted scope. You receive a fixed quote after the scoping call — never a surprise.
Needs enforceable segregation of duties so AR, AP, bank, and payroll journals are only touched by the right people — and needs it to survive an external audit, not just look tidy on screen.
Wants restrictions enforced through record rules and security groups rather than brittle view hacks, so they hold across API calls and upgrades and don't break with every Odoo point release.
Runs several companies or branches in one database and needs each bookkeeper confined to their own journals and companies, with intercompany and shared journals handled correctly.
Requires a logged, reviewable trail of who can access which journals, plus denial alerts, to demonstrate controls over financial postings.
| Criterion | ECOSIRE | Custom Build | Competitor | Odoo Native |
|---|---|---|---|---|
| Per-user journal access control | Purpose-built, enforced by record rules on all accounting models | Achievable but you design and maintain the rules yourself | Often a view-level filter that varies in depth | |
| API / XML-RPC coverage | Enforced server-side, so it holds through XML-RPC/JSON-RPC and cron | Depends on whether you implement it at the ORM layer | Frequently UI-only, leaving the API exposed | |
| Multi-company handling | Company-aware rules intersecting journals with allowed companies | Extra effort to get intersection logic correct | Varies; often single-company assumptions | |
| Read vs write separation | Independent view and post scopes per journal | Possible with additional rule design | Usually all-or-nothing per journal | |
| Audit trail of entitlements | `mail.thread` logging plus optional denial alerts | You add logging yourself | Rarely included | |
| Upgrade safety | Clean addon, no core monkey-patching; upgrade checklist provided | Quality depends on your team's discipline | Unknown; may break on major versions | |
| Fit to your process | Scoped to your journals, roles, and edge cases before build | Fully bespoke but you carry design risk and time | Generic; you adapt your process to it | |
| Support & handover | Support window, docs, training, and git repo handover | Internal only, ties up your developers | Vendor support quality varies |
No. This is a build-to-order module. ECOSIRE builds it to your confirmed journal, role, and company structure, then installs and supports it. There is no instant download — you request a quotation and we scope it with you first.
Typical delivery is 2–4 weeks from confirmed scope. After the scoping call we agree on the exact journals, roles, and edge cases; simpler single-company builds land toward the shorter end, while multi-company or heavily customized environments take longer.
Pricing starts from $249 as an indicative single-company base scope. We hold a short scoping call, then give you a fixed written quote. Multi-company rules, localization depth, integration with existing custom security, and migrating historical assignments increase the quoted scope.
Every build includes a post-go-live support window for defect fixes and configuration help, plus a git repository handover so your team owns the code. We provide an upgrade checklist, and we can quote a separate engagement to move the module to a future Odoo major version when you upgrade.
It holds everywhere. Enforcement is via `ir.rule` record rules evaluated by the ORM, so it applies to XML-RPC/JSON-RPC calls, scheduled actions, QWeb reports, and exports — not just the web screens. That closes the back-door that UI-only filters leave open.
Yes. The core is built on standard Odoo accounting models present in both editions. Enterprise-only surfaces such as the accounting dashboard are handled when present, and we confirm your exact edition and version (17.0/18.0/19.0) during scoping.
Yes. Read and write scopes are controlled independently, so you can, for example, let a reconciler view bank journal entries without granting them the right to create or post entries there.
A build-to-order Odoo accounting-security module that limits which journals each user can post, view, and reconcile — so sales, purchase, bank, and cash entries stay walled off by role. ECOSIRE scopes, builds, installs, and supports it on your Odoo 17, 18, or 19.