-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathgroups.xml
More file actions
81 lines (73 loc) · 3.35 KB
/
groups.xml
File metadata and controls
81 lines (73 loc) · 3.35 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
<?xml version="1.0" encoding="utf-8" ?>
<odoo>
<!-- API V2 Domain Groups -->
<!-- Following ADR-004 three-tier architecture -->
<!-- Tier 3: Technical base groups -->
<record id="group_api_v2_read" model="res.groups">
<field name="name">API V2: Read</field>
<field name="comment">Technical group for read access to API V2 models.</field>
</record>
<record id="group_api_v2_write" model="res.groups">
<field name="name">API V2: Write</field>
<field name="comment">Technical group for write access to API V2 models.</field>
<field name="implied_ids" eval="[Command.link(ref('group_api_v2_read'))]" />
</record>
<record id="group_api_v2_create" model="res.groups">
<field name="name">API V2: Create</field>
<field
name="comment"
>Technical group for API V2 create access. Grants permission to create new API clients and scopes.</field>
<field name="implied_ids" eval="[Command.link(ref('group_api_v2_read'))]" />
</record>
<!-- Tier 2: User-facing groups -->
<!-- All groups share the same privilege for unified UI presentation -->
<record id="group_api_v2_viewer" model="res.groups">
<field name="name">Viewer</field>
<field name="privilege_id" ref="privilege_api_v2" />
<field
name="comment"
>Can view API V2 clients, scopes, and consent records. Cannot modify data.</field>
<field name="implied_ids" eval="[Command.link(ref('group_api_v2_read'))]" />
</record>
<record id="group_api_v2_officer" model="res.groups">
<field name="name">Officer</field>
<field name="privilege_id" ref="privilege_api_v2" />
<field
name="comment"
>Can view and manage consent records. Can grant/revoke consent but cannot modify API clients.</field>
<field
name="implied_ids"
eval="[Command.link(ref('group_api_v2_viewer')), Command.link(ref('group_api_v2_write'))]"
/>
</record>
<record id="group_api_v2_manager" model="res.groups">
<field name="name">Manager</field>
<field name="privilege_id" ref="privilege_api_v2" />
<field
name="comment"
>Full control over API V2 configuration including create/modify API clients and manage scopes.</field>
<field
name="implied_ids"
eval="[Command.link(ref('group_api_v2_officer')), Command.link(ref('group_api_v2_create'))]"
/>
</record>
<!-- Standalone auditor group (opt-in checkbox, not part of privilege radio) -->
<record id="group_api_v2_auditor" model="res.groups">
<field name="name">API V2: Auditor</field>
<field name="privilege_id" ref="privilege_api_v2_auditor" />
<field
name="comment"
>Can view sensitive payload data in API logs (request/response bodies, search parameters, IP addresses). Implies Viewer for menu access.</field>
<field name="implied_ids" eval="[Command.link(ref('group_api_v2_viewer'))]" />
</record>
<!-- Link manager and auditor to admin -->
<record id="spp_security.group_spp_admin" model="res.groups">
<field
name="implied_ids"
eval="[
Command.link(ref('group_api_v2_manager')),
Command.link(ref('group_api_v2_auditor')),
]"
/>
</record>
</odoo>