I’d like to share with you some thoughts that I had about support of access rights in OpenERP, and how I think it should be improved.
Access rights in OpenERP are already well implemented, in particular by:
-To set access rights on various menus, or at the level of the action on which they are linked.
-To set access rights on the object itself, with the right read / write / creation / deletion.
-To define the rights to the fields themselves, either at views or at the object level.
-To define the segmentation between records with access rules which I think are already very powerful.
These tools allow to deal with a lot of situations where access rights are needed, for example if we want to prohibit access to an object, block a specific menu, act on a particular field or allow access to only some records of an object (some of the partners, for example).
But there is a case not covered, and I think that business needs are such that this case could be very fast blocker. This case is the dual read / write access rights.
It is found in objects, but not in the fields or at the level of access rules.
Thus, if we put a right in a field, then this field disappears from the user interface who does not have the rights even if we wanted him to keep right on reading the field while the manager has the right to write.
Similarly, if for example a user does not qualify for access rules to access a record partner, then he can not even see the record.
However, case where a company needs to give read access to the largest number to information while only few people can change it is very common.
For example, imagine the case where salesmen have access to specifications of sales management. Today, everyone has write access to the quotation of all salesmen, whereas normally they should have write access to their quotations, and read about others because they can have a call with a customer of another salesman and need to consult the offer that was made.
I propose to replace the many2many access rights on elements views, fields on models and access rules by two many2many, one with groups with the read rights and the other with groups with write rights to the field or record.
Of course, the principle of accumulation of rights that prevail in the OpenERP system also applies here.
If the user is a member of one or more groups with the right reading, it will have the right read. (I should note that the read right is not sufficient to activate the buttons workflow of the record, for example to confirm an order of sale)
If he is a member of a group with the right reading and another with the right write which applied to the same field or record, then he will have the right to write.
If he is not a member of any group having at least the right read, the field will not appear on the screen.
This is really the only criticism I can make to the current access right system. With this correction, I think there will be no situation where the access right system will not be able to cope.
I already sent my comments to Tiny, let’s see what they think. In the meantime, feel free to respond in the comments.