Access Control in Purchase Odoo 18
By Braincuber Team
Published on December 28, 2025
Procurement managers handling vendor relationships create security chaos: junior purchasing clerk accidentally deletes critical vendor price agreement worth 500K annual contract because system granted full delete permissions to all purchase users, warehouse assistant viewing purchase orders discovers confidential supplier pricing sharing information with competitors causing vendor relationship damage, external consultant hired for 3-month project gets Administrator access to purchase module enabling view of all historical vendor negotiations including sensitive rebate terms, and no role separation between RFQ creation and purchase approval allowing single employee to create and approve own orders bypassing dual-control fraud prevention—creating data breach risks and compliance violations from improper access control without role-based permission management.
Odoo 18 Purchase Access Control enables secure procurement through three-tier role system (Administrator/User/None), granular permission assignment per user, multi-company access configuration, Purchase Administrator full control including settings configuration vendor management and purchase agreement handling, Purchase User restricted access to RFQ creation order management and product data without advanced reporting or configuration, and None role complete module restriction—reducing security incidents 85 percent through principle of least privilege ensuring users access only functions required for job responsibilities preventing unauthorized data modification and maintaining procurement workflow integrity through proper role-based access control.
Access Control Features: Three-tier roles, User-level permissions, Multi-company config, Administrator full control, User restricted access, None complete restriction, Settings management, Vendor control, Data security
User Types in Odoo 18
Understand the three fundamental user categories:
Internal Users
- Organization employees
- Full system access potential
- Assigned specific roles
- Purchase User or Administrator
- Active procurement engagement
Portal Users
- External stakeholders
- Customers or suppliers
- Limited read-only access
- View relevant orders/invoices
- Cannot modify records
Public Users
- Anonymous website visitors
- No account required
- Public website content only
- No backend access
- No purchase interaction
Accessing User Configuration
- Go to Settings → Users & Companies → Users
- Click on user to open configuration form
- Select Access Rights tab
- Configure purchase module permissions
Multi-Company Configuration:
Under Multi Companies section:
- Allowed Companies: Which companies user can access
- Default Company: Primary company for user
Purchase Module Roles
Three primary access levels for Purchase module:
1. Administrator
Full Control and Configuration
Capabilities:
- Configure system settings
- Manage user permissions
- Oversee procurement workflows end-to-end
- Import supplier price lists
- Monitor stock levels at vendor locations
- Set up Purchase Agreements
- Control vendor information
- Update product details
- Handle billing and approvals
- Access advanced reporting
- Create custom filters and views
- Configure module-specific settings
Use for: Procurement managers, system administrators, executive oversight
2. User
Restricted Operational Access
Capabilities:
- Create RFQs (Requests for Quotation)
- Convert RFQs to Purchase Orders
- Manage vendor records
- Update product information
- Access Orders and Products menus
- View assigned procurement tasks
Restrictions:
- No advanced reporting access
- Cannot create custom filters
- Cannot configure module settings
- Limited menu visibility
- No purchase agreement management
Use for: Purchasing clerks, procurement officers, day-to-day buyers
3. None
Complete Module Restriction
Effect:
- No access to Purchase module
- Cannot view purchase data
- Cannot create or modify orders
- Purchase menu hidden
- Complete functional restriction
Use for: Sales team, HR staff, employees without procurement responsibilities
Role Assignment Workflow
Example: New Purchasing Clerk
- Create User:
- Settings → Users → Create
- Enter name, email, password
- Assign Access Rights:
- Access Rights tab
- Purchase: User (not Administrator)
- Set Company:
- Multi Companies section
- Allowed Companies: Main Company
- Default Company: Main Company
- Save User
- Employee Can Now:
- Create RFQs
- Convert to POs
- Manage vendors
- Update products
- Employee Cannot:
- Delete purchase agreements
- Access advanced reports
- Configure settings
- Manage user permissions
Security Best Practices
Follow Principle of Least Privilege: Granting Administrator access to all purchase employees = unnecessary risk exposure. Junior clerk with admin deletes vendor accidentally costing 500K contract recovery. Grant minimum required access Purchase User for clerks Administrator only for managers. Reduces error risk 85 percent through permission restriction.
Regular Access Audits Quarterly: Once-set-forever permissions = security drift. Employee promoted from clerk to manager 6 months ago still has User access lacking needed admin functions. Quarterly review ensures permissions match current responsibilities preventing both over-privileged and under-privileged access situations.
Remove Access for Departed Employees Immediately: Leaving terminated employee accounts active = major security breach. Former purchasing manager retains Administrator access 3 weeks post-termination accessing confidential vendor negotiations. Immediate access revocation on termination day prevents unauthorized data access and maintains compliance.
Common Role Scenarios
| Position | Recommended Role | Reasoning |
|---|---|---|
| Procurement Manager | Administrator | Needs full oversight and config access |
| Purchasing Clerk | User | Daily RFQ/PO creation, no setting needs |
| Warehouse Manager | User | Views orders, manages receiving |
| Finance Team | User or None | May need view access for invoicing |
| Sales Team | None | No procurement responsibilities |
| External Consultant | User (temporary) | Limited access, remove after project |
Conclusion
Odoo 18 Purchase Access Control enables secure procurement through three-tier role system Administrator User and None with granular permission assignment. Reduce security incidents 85 percent through principle of least privilege ensuring users access only functions required for job responsibilities preventing unauthorized data modification and maintaining procurement workflow integrity through proper role-based access control and regular permission auditing.