Implementing Role-Based Access Control (RBAC) in Odoo: Complete Guide

Quick Answer

Odoo RBAC uses 3 layers: Groups (roles), Access Rights (model-level CRUD permissions), and Record Rules (record-level visibility filters) to prevent data disasters. The problem: Warehouse manager accesses customer credit cards, intern deletes $500k orders, sales team sees each other's commissions, accountant modifies tax records = disaster waiting. Real case: $3.6M fashion brand, operations manager accidentally deleted 2,000 confirmed orders (had delete permissions), company spent $47,200 recovering data + re-fulfilling orders, customer churn worse. 73% D2C brands we audit don't have proper RBAC = people have too much access = not malice, negligence. Give someone "admin" to solve one problem, suddenly they see everything. Why it matters: 50 staff with broader access than needed = exponential probability of accidental data loss. Warehouse deletes invoices (clearing clutter), sales reps modify commission (fixing numbers), accountants overwrite taxes (Excel habit), interns access payment data. Single incident cost: $15k-$150k (data recovery, compliance notifications, refunds, legal). Hidden cost: CFOs manually reviewing every transaction = 40 hours/week waste. 3 RBAC layers: (1) Groups (Sales Manager, Sales Rep, Warehouse Staff, Finance) = assign users to groups, each group gets model permissions (quick setup, limited). (2) Record Rules (real control) = sales reps only see own orders [('user_id', '=', user.id)], warehouse only sees own warehouse orders, finance only sees own company invoices = actual data visibility. (3) Field-level access (nuclear option) = hide cost field from sales, hide salary from non-HR, rarely needed but critical. Setup: Define specific roles (not "admin"/"user"), create groups in Odoo (Settings → Users & Groups), define access rights CSV (read/write/create/delete), create record rules XML with domain_force. Access rights CSV: access_order_salesman = sale.order, group_sale_salesman, perm_read=1, perm_write=1, perm_create=1, perm_unlink=0 (never give delete to non-managers). Record rules: domain_force [('user_id', '=', user.id)] = own orders only, [(1, '=', 1)] = see all (managers). Real implementation: Athletic apparel $2.1M/month, 35 staff. Before: operations sees payment data, sales modifies commissions, warehouse deletes records = compliance nightmare. After: 9 specific roles, record rules by user/warehouse/company, hidden sensitive fields = 90% security incident risk drop, compliance met, audit trails clean. Critical: Test by logging in as each role, insurance won't pay breaches without RBAC, humans make mistakes = RBAC prevents mistakes from becoming catastrophes.