| openspp |
|
|---|
This page is for implementers configuring role-based access in OpenSPP: assigning roles to users, using privileges and groups, and optionally scoping roles by area.
For a fully illustrated walkthrough (including step-by-step screenshots), see {doc}/tutorial/user_guides/administrating_role_based_access.
In day-to-day operations, you typically manage access through roles, not by directly ticking groups on the user's "Access Rights" tab:
- Roles are assigned to users (optionally time-bounded). A role implies one or more groups.
- Groups grant permissions through access control lists (ACLs) and record rules.
- Privileges (Odoo 19) organize which groups appear in the Settings UI and how they are presented to administrators.
If your deployment includes the Roles feature, OpenSPP shows a banner on the user form indicating that "access rights are managed by roles". In that setup, changes made directly in the user's "Access Rights" tab are not persistent.
- Go to Settings → Users & Companies → Users and click Create.
- Fill in name and email/login, then Save.
- Open the user record.
- Go to the Roles tab.
- Add one or more role lines:
- Role: the access role to grant
- From / To (optional): time-bound access
- Enabled: turn the role on/off
If the Areas module is installed, roles can be assigned as local and scoped to one or more Center Areas.
- For a local role line, select a Center Area on the role line.
- OpenSPP computes the user's "Center Areas" based on local role assignments.
- Record rules in domain modules can use the user's center areas to restrict which records are visible.
- To temporarily remove access, Archive the user (or disable specific role lines).
- To end time-bound access, set the role line's To date.
- To permanently remove permissions, remove role lines and save.
Odoo caches menu visibility at login. If you change roles/groups for a user who is already logged in, ask them to log out and log back in to refresh the menus.
You can create new roles that combine multiple groups:
- Go to Settings → Users & Companies → Roles.
- Create a role and add the implied groups it should grant.
- Assign the role to users on the user form.
For long-term maintainability, prefer implementing new privileges/groups/roles in an OpenSPP module (XML/CSV) rather than changing core security definitions from the UI.
See {doc}/tutorial/access_management for a concise overview of access management. For architecture details (roles, privileges, groups, record rules, and the access-control compliance checker), refer to your project's technical reference or OpenSPP module documentation.