A made-to-order encrypted credential vault built natively inside Odoo, with per-user and per-group access control, audit logging, and record-rule isolation. ECOSIRE designs, builds, installs, and supports it after your scoping call — this is not an off-the-shelf download. Built to order by ECOSIRE for Odoo 17, 18, 19 — indicative price from $249.00 USD; request a quote for a scoped proposal.
App manifest
Built around your workflow
A made-to-order encrypted credential vault built natively inside Odoo, with per-user and per-group access control, audit logging, and record-rule isolation. ECOSIRE designs, builds, installs, and supports it after your scoping call — this is not an off-the-shelf download.
No DIY setup — a working app, built, installed and supported by ECOSIRE.
Start with a one-time build price. We scope it with you at kickoff.
ECOSIRE builds, configures and installs it on your Odoo.
You go live in about 2–4 weeks, with a post-launch support window.
Teams that run their whole business in Odoo still keep shared logins — banking portals, courier accounts, SMTP/API keys, supplier extranets, social accounts — scattered across spreadsheets, chat threads, sticky notes, and personal browser vaults. There is no controlled way to say "the finance team may see the bank credential but not the marketing API key," no record of who viewed or copied a secret, and no clean way to revoke access when someone leaves. Odoo core has no credential-vault model: res.users handles authentication and ir.config_parameter stores plaintext system settings, but neither is designed to hold, encrypt, or govern access to third-party secrets. This is exactly the road-runs-out point where a purpose-built module belongs.
ECOSIRE builds a dedicated Password Manager as native Odoo modules — a real models.Model (for example password.vault and password.entry) with fields for title, username, URL, notes, category, and an encrypted secret. Secrets are never stored in cleartext: the module encrypts the password field at rest using a server-side key held outside the database (env var / config), with @api.depends-free explicit encrypt/decrypt methods so a raw SQL dump or a casual read() never exposes the value. Access is governed the Odoo-native way: ir.model.access.csv sets model-level create/read/write/unlink per group, and ir.rule record rules scope which vaults and entries a given user or team can even see — so a group-shared vault, a personal vault, and a department vault can coexist with strict isolation. Every reveal, copy, create, and edit writes an audit row (who, when, which entry, from which IP where available), and mail.thread chatter gives each entry a change history. Backend views are standard XML/OWL list and form views with a masked secret widget and a reveal-on-demand action; an optional QWeb report can produce a controlled, watermarked access inventory for audits.
Beyond the base vault we scope the governance features your team actually needs: group-based sharing with per-entry override, automated actions (ir.cron / server actions) that flag stale or expiring credentials and notify owners, optional expiry and forced-rotation reminders, and read-only "break-glass" access patterns for emergencies. Because it is built on Odoo's own ORM and security layer, the vault is reachable through the standard XML-RPC/JSON-RPC API for controlled programmatic reads by other internal modules — under the same access rules, never bypassing them. We build against your target line — Odoo 17.0, 18.0, or 19.0 — and account for Community vs Enterprise differences (Enterprise-only widgets and features are used only when your edition supports them; on Community we ship equivalent behavior).
Delivery is build-to-order. After a short scoping call we confirm the exact models, groups, encryption approach, and integrations, then design, build, and test the module on a staging copy of your database, run UAT with you, and deploy to production with a rollback plan. Typical delivery is 2 to 4 weeks from confirmed scope, depending on complexity. Pricing starts from $249 (indicative, single-company base scope); multi-company vault segregation, deeper integrations (SSO/secret-sync, external KMS), stricter compliance and audit requirements, and migrating a large volume of existing credentials increase the quoted scope. You receive a fixed quote after the scoping call — never a surprise.
Owns the shared business logins — courier portals, SMTP, payment gateways, supplier extranets — and needs them inside Odoo with real access control, an audit trail, and clean off-boarding instead of a shared spreadsheet.
Must prove who can access sensitive banking and tax-portal credentials and demonstrate a control and audit trail during reviews; needs encryption at rest, record-rule isolation, and an access-inventory report.
Runs the instance and wants the vault built the Odoo-native way — ORM models, `ir.model.access.csv`, record rules, standard views — so it upgrades cleanly and integrates with existing modules via the RPC API.
Manages a team that shares a handful of accounts and needs a group vault that their people can use but other departments cannot see, with per-entry sharing they can control themselves.
| Criterion | ECOSIRE | Custom Build | Competitor | Odoo Native |
|---|---|---|---|---|
| Fit to your process | Built to your exact vault, group, and sharing model | Fully bespoke but you specify and manage everything | Fixed feature set; you adapt to its assumptions | |
| Encryption at rest | Server-side key outside the DB; secret never read as cleartext | Depends entirely on your team's implementation | Varies; often reversible or key-in-DB | |
| Access control | Security groups + record rules for user/group/company isolation | Achievable but must be designed and tested by you | Usually group-level only, limited record scoping | |
| Audit trail | Reveal/copy/edit logged + chatter history + access report | Only if you build and maintain it | Often minimal or absent | |
| Version support | Built and tested for your 17.0 / 18.0 / 19.0 line | Whatever you target and maintain | Depends on the vendor's supported versions | |
| Delivery & support | Staging UAT, rollback plan, training, support window | Your team's time and roadmap | Download-and-configure; support varies by vendor | |
| Total cost | Fixed quote from an indicative $249 base after scoping | High developer time and ongoing maintenance | Low upfront license, limited fit and support | |
| Code ownership | Full source + Git repo handover, yours to keep | You own it and carry all the effort | Vendor-controlled; limited or obfuscated code |
No. This is a build-to-order module. ECOSIRE designs, builds, installs, and supports it for your specific Odoo instance after a scoping call. It is not an instant download from the app store; you receive source code built for your environment and version.
Typical delivery is 2 to 4 weeks from confirmed scope, depending on complexity — for example multi-company segregation, external secret-store integration, or migrating a large volume of existing credentials will extend the timeline. We agree the schedule with you in writing before starting.
Pricing starts from $249 (indicative, single-company base scope). Drivers like multi-company vaults, SSO/KMS integration, stricter compliance requirements, and bulk credential migration increase scope. After a short scoping call we send a fixed quote — no surprise costs, no open-ended hourly billing.
Secret fields are encrypted at rest using a server-side key held outside the database (environment variable / server config), so a raw database dump or a plain ORM `read()` does not expose cleartext. Access is enforced by Odoo security groups (`ir.model.access.csv`) and record rules (`ir.rule`), and every reveal or copy is logged. This is application-level protection inside Odoo, not a replacement for OS-level and network security, which we advise on.
Yes. We build for Odoo 17.0, 18.0, or 19.0, on Community or Enterprise. Where a feature relies on an Enterprise-only widget, we use it only if your edition supports it and ship an equivalent on Community, so the module runs correctly on your edition.
Every build includes a post-go-live support window for defect fixes and configuration adjustments. Beyond that we offer ongoing support and version-upgrade services — for example migrating the module when you move to a newer Odoo release — quoted separately.
Yes, through Odoo's standard XML-RPC/JSON-RPC API, but always under the same access rules and audit logging — the API respects the security groups and record rules, so a programmatic caller can only read what its user is entitled to. We scope any such integration explicitly.
Yes. You receive the installable source and a handover of the private Git repository with full commit history. The module is yours to keep, review, and maintain.
A made-to-order encrypted credential vault built natively inside Odoo, with per-user and per-group access control, audit logging, and record-rule isolation. ECOSIRE designs, builds, installs, and supports it after your scoping call — this is not an off-the-shelf download.