• Tek Siong, Hock

Odoo CE Accounting - Access Right and Authorization

Updated: 5 days ago

In the standard Odoo CE 12 Accounting, there are 3 primary roles for access right. Prior version of Odoo may used different terms for the following roles:


1) Billing - lowest level, who are assigned to do invoicing and payment (eg, Customer invoice, Vendor bill, Payment and Credit Notes).

Technical ID = account.group_account_invoice


2) Billing Manager - mid level, apart from invoicing and payment, will also access to some financial reports and configuration.

Technical ID = account.group_account_manager


3) Accountant - highest level, with full access to the Accounting module.

Technical ID = account.group_account_user


Click "Like" at the bottom of this blog, to motivate us to continue sharing more Odoo tips.


Accounting access is the most sensitive and critical in any company, and each company has its own organization team, department and access control.

As such, Odoo has the flexibility to customize the access right, with the following:


a) Menu Access

By controlling the visibility of the menu, the user will not be able to access it.

Example below is to allow the access for payment to only Accountant, in the view.


<record id="account.menu_action_account_payments_payable" model="ir.ui.menu"> <field name="groups_id" eval="[(6,0, [ref('account.group_account_user')])]"/> </record>



b) Field Level and Button Access

By controlling the visibility of the button or field, the user will not be able to access it.

Example below is to allow the Invoice Cancel button to be visible to only Accountant/Billing Manager.


<record id="invoice_form_cancel_inherit_goexcel" model="ir.ui.view">
      <field name="name">invoice.form.cancel.inherit.goexcel</field>
      <field name="model">account.invoice</field>
      <field name="inherit_id" ref="account.invoice_form"/>
      <field name="arch" type="xml">
          <xpath expr="//button[@name='action_invoice_cancel']" position="attributes">
              <attribute name="groups">account.group_account_manager,account.group_account_user</attribute>
          </xpath>
      </field>
  </record>


c) Record Level Access

You may control that salesperson can only see his/her invoices, or in the customer portal, customer will only view his/her invoices or Billing user only see his/her invoices.

You may view this blog for the details.



d) Python Code

The last option is always the python codes.

Example below is to restrict only Accountant/Billing Manager can change the account code in the Account Invoice line.


@api.one
def _set_access_for_account_code(self):
    if self.env['res.users'].has_group('account.group_account_manager') or self.env['res.users'].has_group('account.group_account_user'):
        self.account_id_readonly = False
    else:
        self.account_id_readonly = True
                                     
account_id_readonly = fields.Boolean(compute="_set_access_for_account_code")

In the Account Invoice Form.

<xpath expr="//field[@name='account_id']" position="attributes">
      <attribute name="groups"/>
      <attribute name="attrs">{'readonly':[('account_id_readonly','=',True)]}</attribute>
</xpath>



©2019 by Excelroot Technology Sdn Bhd.