How to Import ACLs from CSV in Odoo 19: Complete Tutorial
When your Odoo deployment has dozens of departments, hundreds of users, and a complex matrix of permissions, setting access rights one by one is slow and error-prone. Importing ACLs from CSV solves this: you define all your model-level permissions in a single spreadsheet and load them in one go, with the bonus of version-controllable access configuration you can recreate across instances. This complete tutorial is a step by step beginner guide to importing ACLs from CSV in Odoo 19, covering what ACLs are, the exact ir.model.access format, every column, a ready example, and how to verify it all works.
What You'll Learn:
- What ACLs are and where Odoo stores them
- The ir.model.access CSV format and every column
- A complete, ready-to-use example CSV
- The step by step import process
- How to update existing ACLs and verify access
- ACLs vs record rules, and best practices
What Are ACLs?
An ACL (Access Control List) is a rule that grants specific permissions to specific groups on specific models. ACLs control CRUD operations, Create, Read, Write, Delete, and Unlink. They are stored in the ir.model.access model, which you can browse at Settings > Technical > Security > Access Rights.
The CSV Format
Your CSV needs these columns. Only name and model_id are required; permission columns take 1 (allow) or 0 (deny).
| Column | Required | Values / Example |
|---|---|---|
| name | Yes | Unique identifier, e.g. sale_order_user_read |
| model_id | Yes | Model in dot notation, e.g. sale.order |
| group_id | No | Group name or ID, e.g. Sales Team (blank = all users) |
| perm_read | No | 1 or 0 (read access) |
| perm_write | No | 1 or 0 (edit access) |
| perm_create | No | 1 or 0 (record creation) |
| perm_delete | No | 1 or 0 (deletion) |
| perm_unlink | No | 1 or 0 (permanent deletion) |
Example CSV
Here is a complete example covering multiple models and groups. Save it as a .csv file and adjust the model and group names to your needs.
name,model_id,group_id,perm_read,perm_write,perm_create,perm_delete,perm_unlink
sale_order_user_read,sale.order,Sales Team,1,0,0,0,0
sale_order_user_create_write,sale.order,Sales Team,1,1,1,0,0
sale_order_manager_full,sale.order,Sales Manager,1,1,1,1,1
res_partner_user_read,res.partner,Sales Team,1,0,0,0,0
res_partner_user_write,res.partner,Sales Team,1,1,0,0,0
res_partner_manager_full,res.partner,Sales Manager,1,1,1,1,1
stock_move_warehouse_read,stock.move,Warehouse Staff,1,0,0,0,0
stock_move_warehouse_write,stock.move,Warehouse Staff,1,1,1,0,0
invoice_finance_full,account.move,Finance,1,1,1,1,1
Step by Step: Importing the CSV
Open the Access Rights List
Enable developer mode, then go to Settings > Technical > Security > Access Rights to see all existing ACL records in the ir.model.access model.
Prepare the CSV File
Create your CSV with properly formatted columns. The easiest way to get the format exactly right is to export an existing access record as a template, then fill in your rows.
Import and Map Columns
Click the Import button in the list view. In the dialog, select your CSV file and map each column to the matching Odoo field.
Preview the Import
Review the preview before finalizing: verify all rows are recognized, check for error messages, confirm group names resolve correctly, and validate the field values.
Complete and Verify
Click Import to create all ACL records at once. Then test by creating a non-admin user, assigning the group, and attempting restricted actions, you should see an "AccessError: Access denied" for anything not granted.
Updating Existing ACLs
There are three ways to change ACLs after import:
UI or Delete & Reimport
Edit the ACL permissions directly in the list view, or remove the old ACLs and import an updated CSV to replace them.
Python Script
Use env["ir.model.access"].search() to locate records and .write() to modify their permissions programmatically.
ACLs Not Working?
If users seem to bypass ACLs, remove them from the Admin group, administrators bypass ACL restrictions. If ACLs do not apply, confirm users are in the specified groups, the module is installed, and check both ACLs and Record Rules.
ACLs vs Record Rules
| Mechanism | Controls | Scope |
|---|---|---|
| ACLs | Model-level access | The entire model |
| Record Rules | Record-level access | Specific records |
Both must be satisfied for access to be granted. An ACL can allow read on a model while a record rule still restricts which individual records a user can see.
Key Insight:
Batch CSV import is most powerful for organizations with many departments, users, and complex permission matrixes. Keeping ACLs in CSV gives you version control over access configuration and lets you recreate the exact same permissions across staging and production instances.
Frequently Asked Questions
What is an ACL in Odoo?
An ACL is a rule that grants specific permissions to specific groups on specific models. It controls create, read, write, delete, and unlink, and is stored in the ir.model.access model.
What columns does the ir.model.access CSV need?
name and model_id are required; group_id, perm_read, perm_write, perm_create, perm_delete, and perm_unlink are optional. Permission columns take 1 (allow) or 0 (deny).
Where do I import ACLs in Odoo 19?
Go to Settings > Technical > Security > Access Rights, click Import in the list view, select your CSV, map the columns, preview, then import to create all records at once.
Why are my ACLs not working?
Common causes: the user is in the Admin group (admins bypass ACLs), the user is not in the specified group, the module is not installed, or a record rule also blocks access. Both must pass.
What is the difference between ACLs and record rules?
ACLs control model-level access (the entire model), while record rules control record-level access (specific records). Both must be satisfied for access to be granted.
Need Help Securing Your Odoo Instance?
Our Odoo experts can design and implement clean access-rights matrixes, ACLs, record rules, and group structures, so the right people see exactly what they should. Get help locking down your Odoo 19 security.
About the author
Odoo Practice Lead, Braincuber Technologies
Leads the Odoo practice at Braincuber. Has delivered Odoo ERP implementations, NetSuite/Tally migrations, and Shopify–Odoo integrations for US mid-market and D2C brands. Owns scoping, data migration, and go-live for every Odoo engagement.