Access Rights

There are 5 levels of access rights: model, actions, field, button and record. Every access right is based
on the groups of the user. The model and field access rights are checked for every RPC call for which
trytond.rpc.RPC.check_access (../ref/rpc.html#trytond.rpc.RPC.check_access) is set. The others
are always enforced.

Model Access
They are defined by records of ir.model.access which define for each couple of model and group, the
read, write, create and delete permission. If any group of the user has the permission activated, then the
user is granted this permission.

Actions Access
Each action define a list of groups that are allowed to use it. There is a special case for ref:wizard
<topics-wizard> for which the read access on the model is also checked and also the write access if
there is no groups linked.

Field Access
Same as for model access but applied on the field. It uses records of ir.model.field.access.

Button
For each button of a model the records of ir.model.button define the list of groups that are allowed to
call it.

Button Rule
The ir.model.button could contain a list of rules which define how much different users must click on
the button. Each rule must be passed to actually trigger the action. The counter can be reset when
another defined button is clicked.

Record Rule
They are defined by records of ir.rule.group which contains a list of ir.rule domain to which the rule
applies. The group are selected by groups or users. The access is granted for a record:

if the user is in at least one group that has the permission activated,
or if the user is in no group by there is a default group with the
permission,
or if there is a global group with the permission.
© Copyright 2008-2016, Tryton. Back to top
Last updated on May 02, 2017.
Created using Sphinx (http://sphinx-doc.org/) 1.3.1.