Odoo Security and Access Control: Protect Your Business Data

Your ERP contains your most sensitive business data — financial records, customer information, employee details, pricing strategies, and operational metrics. A misconfigured access control can expose this data to unauthorized users or allow accidental (or malicious) modifications. Odoo provides a layered security model that, when properly configured, protects data while enabling the access people need to do their jobs.

The Security Layer Stack

Odoo security operates in four layers, each adding finer-grained control:

1. User Groups — broad categories of access (Sales User, Accounting Manager, HR Officer)
2. Access Rights — CRUD permissions (Create, Read, Update, Delete) per model per group
3. Record Rules — row-level filtering (users see only their own records, their team records, or all records)
4. Field-Level Access — individual field restrictions (hiding salary fields from non-HR users)

User Groups

Predefined Groups

Each Odoo module defines user groups that match typical organizational roles. The Sales module includes: Sales User (access own leads and orders), Sales Manager (access all sales data), and Administrator (full configuration access).

Custom Groups

Create custom groups for roles unique to your organization. A "Regional Manager" group might have Sales Manager access limited to records from their region.

Group Hierarchy

Groups can inherit from other groups. Sales Manager inherits all Sales User permissions and adds management capabilities. This hierarchy reduces configuration duplication.

Access Rights (ACL)

Model-Level Permissions

For each group, define permissions on each model (database table): Read (view records), Create (make new records), Write (modify existing records), Delete (remove records).

A Warehouse Worker might have Read/Write on Stock Picking (fulfillment orders) but only Read on Product (cannot modify product information).

Common Configurations

• Read-only access: Users who need to view data but not change it
• Create but not delete: Users who add records but cannot remove them
• No access: Groups that should not see certain models at all (HR data hidden from non-HR)

Record Rules

Domain-Based Filtering

Record rules apply domain filters that limit which records a group can access within a model. Examples:

• Sales users see only leads assigned to them: [('user_id', '=', user.id)]
• Department managers see all records in their department: [('department_id', '=', user.department_id.id)]
• Multi-company isolation: [('company_id', '=', user.company_id.id)]

Global vs Group-Specific Rules

Global rules apply to everyone (like multi-company isolation). Group-specific rules apply only to members of a particular group. Group rules are additive — if a user belongs to multiple groups, they get the union of all applicable rules.

Field-Level Security

Sensitive Field Protection

Mark individual fields as restricted to specific groups. Common use cases: employee salary visible only to HR and Finance, customer credit terms visible only to Sales Managers, product cost price visible only to Purchasing and Accounting, and margin calculations visible only to management.

Computed Fields Security

For calculated fields (profit margins, commissions), ensure the source data fields are also secured. A user who cannot see the cost price should not see a margin field that reveals it indirectly.

Authentication Security

Two-Factor Authentication (2FA)

Enable 2FA for all users, especially those with administrative or sensitive data access. Odoo supports TOTP (time-based one-time passwords) compatible with Google Authenticator, Authy, and similar apps.

Password Policies

Configure password requirements: minimum length, complexity requirements (uppercase, numbers, symbols), and expiration periods. Lock accounts after repeated failed login attempts.

API Key Management

Use API keys instead of passwords for automated integrations. Each key can be revoked independently, and key usage is logged.

Audit and Monitoring

Change Tracking

Enable change tracking on sensitive models to log: who changed what, when, the old value and new value. This is essential for financial records, HR data, and any compliance-regulated information.

Login Monitoring

Monitor login activity: successful logins, failed attempts, unusual patterns (login from new locations, outside business hours). Set up alerts for suspicious activity.

Session Management

Configure session timeouts for inactive users. Administrators can view and terminate active sessions when needed (e.g., if a device is lost).

Production Security Best Practices

1. Principle of least privilege — start with minimal access, add permissions as needed
2. Regular access reviews — quarterly audit of who has access to what
3. Separate admin accounts — do not use admin accounts for daily work
4. Secure the database — restrict direct database access to DBAs only
5. Keep Odoo updated — security patches address known vulnerabilities
6. Use HTTPS exclusively — never allow unencrypted connections
7. Backup encryption — encrypt backups at rest, not just the live database
8. Network segmentation — place the Odoo server behind a firewall with only necessary ports open
9. Disable unused features — every enabled module is additional attack surface
10. Document your security configuration — so it can be reviewed and replicated

Our Odoo support and maintenance service includes ongoing security audits and configuration reviews.

Frequently Asked Questions

Can I restrict menu visibility based on user groups?

Yes. Menu items are linked to groups. Users only see menus for modules and features they have access to. This keeps the interface clean and prevents confusion.

How does multi-company security work?

Multi-company record rules are built into Odoo. Users assigned to specific companies see only those companies data. Administrators can switch between companies they have access to.

What happens when an employee leaves?

Deactivate (do not delete) the user account. This preserves audit trails and historical records while preventing access. Remove the user from all groups and reset their password.

Can I audit who accessed specific records?

With change tracking enabled, you can see who modified records. For read access auditing, custom logging modules or server log analysis is needed, as Odoo does not track reads by default.