Foundation security infrastructure for OpenSPP modules. Defines 22 domain-specific security categories, the central Administrator group, two base record rules for multi-company and self-only access, and the privilege framework. Domain modules register their security groups within these predefined categories.
- Define 22 domain-specific security categories (Registry, Programs, Entitlements, GRM, etc.) organizing security groups in user settings UI
- Provide central Administrator group (
group_spp_admin) that automatically inherits all manager-level permissions from installed domain modules - Implement multi-company record rule for
res.partnerrestricting access to records from user's companies - Implement self-only record rule for
res.usersrestricting users ingroup_access_restrict_selfto viewing only their own user record - Link Odoo system administrators (
base.group_system) to automatically inherit OpenSPP Administrator privileges
No configuration required. This module provides infrastructure only. When domain modules are installed, their security groups automatically appear under the appropriate category in Settings > Users & Companies > Users.
This module defines no model access rights (empty
ir.model.access.csv). It provides only security groups and record
rules.
| Group | XML ID | Purpose |
|---|---|---|
| Administrator | group_spp_admin |
Inherits all manager permissions from all domains |
| Restricted: Self Only | group_access_restrict_self |
Restricts users to viewing only their own record |
Record rules:
rule_partner_company: Multi-company access forres.partner(company_ids filter)rule_user_self_only: Self-only access forres.users(applied togroup_access_restrict_self)
Domain modules must follow this pattern to integrate with the security framework:
- Add
spp_securitytodependsin__manifest__.py - Define privileges referencing categories like
spp_security.category_spp_registry - Create domain-specific groups (Viewer, Officer, Manager) linked to those privileges
- Link the Manager group to
spp_security.group_spp_adminusingimplied_idsso admins automatically inherit domain permissions
Example from a domain module's security/groups.xml:
<record id="spp_security.group_spp_admin" model="res.groups">
<field name="implied_ids" eval="[Command.link(ref('group_registry_manager'))]"/>
</record>Administration: category_spp_admin
Domain categories: category_spp_registry, category_spp_programs,
category_spp_scoring, category_spp_entitlements,
category_spp_change_request, category_spp_approvals,
category_spp_payments, category_spp_grm, category_spp_case,
category_spp_health_monitoring, category_spp_hazard,
category_spp_drims, category_spp_farmer,
category_spp_service_points, category_spp_area,
category_spp_identity, category_spp_api, category_spp_audit,
category_spp_graduation, category_spp_services,
category_spp_sessions
Empty categories are automatically hidden by Odoo. Categories only appear when domain modules install groups under them.
Categories are centrally defined in spp_security but security groups
are distributed to domain modules. This design ensures groups only exist
when their domain module is installed, preventing UI clutter from unused
permissions and enabling flexible installation combinations.
base
Table of contents
- Initial migration to OpenSPP2
Bugs are tracked on GitHub Issues. In case of trouble, please check there if your issue has already been reported. If you spotted it first, help us to smash it by providing a detailed and welcomed feedback.
Do not contact contributors directly about support or help with technical issues.
- OpenSPP.org
Current maintainers:
This module is part of the OpenSPP/OpenSPP2 project on GitHub.
You are welcome to contribute.