Security is very important for an enterprise application, and therefore, Odoo has access control features that offer proper user authorization and security for the data. Security Domains are one of the main features of access control that Odoo provides, and they are basically implemented through record rules.
Security domains help identify the records that can be accessed by a particular user according to certain conditions, and this feature works together with ACLs for record-level security.
What Are Security Domains in Odoo?
In Odoo, a security domain is a logical condition (or filter) applied to restrict access to specific records in a model.
These domains are used in Record Rules to:
- Control visibility of records
- Restrict read, write, create, or delete operations
- Ensure users only access relevant data
A domain is written as a list of tuples, similar to filters used in Odoo search operations.
Example:
[('user_id', '=', user.id)]This ensures that users can only see records assigned to them.
Why Are Security Domains Important?
Security domains help in:
- Data Isolation: Users only see data relevant to them
- Improved Security: Prevent unauthorized access
- Business Logic Enforcement: Apply rules like department-wise or role-based access
- Multi-Company Support: Restrict access based on company
How Security Domains Work
Security domains are applied through Record Rules, which are evaluated after ACLs.
Flow of Access Control:
- ACL (Access Control List) > Checks model-level permissions
- Record Rules (Security Domains) > Filters specific records
If a user passes ACL checks, only then the domain rules are applied.
Types of Security Domains
1. Global Domains
Applied to all users unless restricted by groups.
Example:
[('active', '=', True)]2. Group-Based Domains
Applied only to users belonging to specific groups.
Example:
[('department_id', '=', user.department_id.id)]3. Owner-Based Domains
Restrict access to records owned by the user.
Example:
[('create_uid', '=', user.id)]Creating Security Domains (Record Rules)
You can define security domains in XML using record rules.
Example:
<record id="rule_sale_order_user" model="ir.rule">
<field name="name">Sales Order: User Access</field>
<field name="model_id" ref="sale.model_sale_order"/>
<field name="domain_force">[('user_id', '=', user.id)]</field>
<field name="groups" eval="[(4, ref('sales_team.group_sale_salesman'))]"/>
</record>
Key Fields Explained:
- model_id > Target model
- domain_force > Security domain condition
- groups > Applies rule to specific user groups
Common Use Cases
1. Sales Team Access Control
Salespersons can only see their own orders:
[('user_id', '=', user.id)]2. Department-Based Access
Employees can access only their department records:
[('department_id', '=', user.department_id.id)]3. Multi-Company Restriction
Users can only access records from their company:
[('company_id', 'in', user.company_ids.ids)]Combining Domains
Domains can be combined using logical operators:
Example:
['|', ('user_id', '=', user.id), ('manager_id', '=', user.id)]This allows access if the user is either the owner or the manager.
Important Considerations
- Record rules are restrictive by default
- Multiple rules are combined using AND logic
- Incorrect domains can block access completely
- Always test rules with different user roles
Best Practices
- Keep domains simple and readable
- Avoid overly complex conditions
- Test with multiple users and scenarios
- Use group-based rules instead of global rules when possible
- Document your rules clearly
Common Mistakes to Avoid
- Forgetting to assign groups to rules
- Writing overly restrictive domains
- Not considering multi-company behavior
- Using incorrect field references
Record-level data access control becomes highly flexible through security domains implemented in Odoo. When used along with ACLs, the developer can ensure that an application created complies with organizational needs and is highly scalable and secure.It is, therefore, important for every Odoo developer to learn how to use security domains properly.
To read more about Complete Overview of Security in Odoo 19, refer to our blog Complete Overview of Security in Odoo 19.