This is the documentation for older versions of Odoo (formerly OpenERP).

See the new Odoo user documentation.

See the new Odoo technical documentation.

Вход пользователя в систему


Управление паролями

If you let users change their passwords for themselves, you will have no direct control over the password they choose. You should have a written policy about password strength to try to maintain a level of security in your system.


Managing Users through LDAP

With the auth_ldap module, user accounts can be managed through an LDAP directory that can be made common to various different company resources.

Connection parameters for the LDAP directory are then registered with the company definition. You can provide a user profile template there from which new users are automatically created during their first connection to OpenERP.



Протокол LDAP (Lightweight Directory Access Protocol) дает вам возможность управлять общими директориями для различных ресурсов через вашу стандартную сеть TCP/IP.

Это дает пользователям в компании возможность использовать одну и ту же учетную запись и пароль для доступа ко всем их приложениям (таким как электронная почта и доступ к интранет).

Managing Access Rights

One of the most important areas in configuring OpenERP is how to manage access rights to the information in it.

You are planning to put everything significant to your business into the system, but most of your staff need see only part of it, and may need to change even less of it. Who should have rights to what, and how do you manage that?

Подход OpenERP к управлению правами очень гибок. Каждый пользователь может принадлежать к одной или более групп, и группы, к которым он принадлежит, определяют:

  • видимость каждого пункта меню и

  • возможность доступа к каждой таблице в базе данных.

For example, the group Warehouse / User may only be given access to some of the menus in Warehouse, and may have no access to any of the accounting information. Each system user who works in stores is given membership of the Warehouse / User group. If some users also work elsewhere, they would also be given membership of other groups.

Группы и учетные записи

To configure access rights, you would start by defining the groups. It is important for the groups to be representative of your company's job functions rather than of its individual employees.

So if your finance director is also your sales director, you should create both a Finance Director group and a Sales Director group, even though they are both the same person, and would both be assigned to this user in practice. This gives you flexibility for the future.

You should also create groups within departmental areas that have different levels of access rights. For example, if you create a Sales Director group and a Sales group avoid assigning exactly the same rights to each group. The first could see all the of reports, while the second could be restricted to seeing quotations. You could either make the Sales Director a member of both groups, and give the Sales Director group a limited set of extra rights, or give the Sales Director group all the rights it needs for a Sales Director to belong only to this one group. You should choose the scheme that gives you most flexibility and then stick with it to maintain consistency.


Flexibility in Managing Access

Чтобы предоставить гибкость себе, вы можете обеспечить, чтобы доверенный сотрудник (возможно директор или кто-либо в бухгалтерии) получил широкие права при пользовании системой, и был бы утвержден руководством для выполнения специфических заданий по управлению правами сотрудников.

Access Rights for Menus

To get a feel for rights management in OpenERP, you will create a new Stock1 group, with access to the Warehouse menu items. You will then create a stores person user who is a member of the Stock1 group.

To create a new group, use the menu Settings ‣ Users ‣ Groups. Enter the group name Stock1.

Then to create a new user linked to this, use Settings ‣ Users ‣ Users to enter the following:

  • User Name : Stores Person ,

  • Login : stores ,

  • Password : stores ,

  • Menu Action : Menu .

In the Groups section of the user form, add the Stock1 group that you just created.


Groups that have access to the Warehouse menu

Save the user, then go into the menu Settings ‣ Technical ‣ User Interface ‣ Menu Items to get a list of menus. Filter this list using the search field Menu to get the Warehouse menu item. In the form describing the menu, add Stock1 into the Groups field. From now on, only members of the Warehouse / Manager , Warehouse / User and Stock1 group will be able to see this menu item in their main menu list.


Menu Hierarchy

Since menus are hierarchical, there is no need to hide access to lower menus: once you have configured Warehouse this way, all lower-level menus become invisible to members of other groups.



This method of managing access to menus does not guarantee that users are prevented from reaching hidden business objects in the system in other ways. For example, hiding the Invoices menu will not prevent people reaching invoices through purchase and sales orders, or by guessing the URL.

For effective security management, you must use the methods for managing access rights to objects presented in the following section.


Initial Access Configuration

In the initial configuration, OpenERP's admin user, a member of the Administration / Settings group, is given access to the Configuration menu in each section of the main menu. This is a general convention. For example, Sales ‣ Configuration is visible in the administrator's menu amongst the other Sales menu items. But only the menu items other than Sales ‣ Configuration are visible to other users. Similarly, the main menu item Administration is, by convention, visible only to users who are members of the Administration / Settings group.

Права доступа к объектам

The menu access rights determine who can access which menu, but does not define what you can do once you are in the menu.

Управление доступом к объектам дает вам возможность определять, что ваши пользователи имеют право делать с данными, когда они получают к ним доступ. Управление доступом к объектам структурировано таким же образом, как и доступ к меню.



An object represents a document in the system. Objects are linked to database tables, and also have additional concepts, such as the functions of fields, inheritance from other objects, and class methods that give them behavior.

Если объекту не назначены группы, все пользователи получают доступ к нему без каких-либо ограничений. И наоборот, если контроль доступа для объекта определен, пользователь должен быть членом группы, обладающей соответствующими правами доступа, чтобы получить какой-либо доступ к этому объекту.

You must always ensure that you do not lock the Administration / Access Rights group out of any object that controls administration and configuration options, such as the ir.model.access model.

Вы можете независимо управлять четырьмя режимами доступа к объектам:

  • Доступ на чтение(Read access) : члены группы могут читать данные объекта,

  • Доступ на создание (Create access : члены группы могут создавать новую запись в объекте,

  • Доступ на запись (Write access) : члены группы могут изменять содержимое записей объекта,

  • Доступ на удаление (Delete access) : члены группы могут удалять записи из объекта,


Access control to invoices for the Accounting & Finance / Invoicing & Payments

To configure access rights on an OpenERP object, use the menu Settings ‣ Security ‣ Access Controls List and click Create or choose an existing one and click Edit. You give a Name to the access control, select a Group, and the Object, then check the checkbox corresponding to each of the four Access modes.

If you do not specify any group in the access rules, the rule is applied to all groups. So to remove access to an object for all users you could create a rule:

  • которое определено для конкретного объекта,

  • которое не связано ни с какой группой,

  • для которого не отмечено ни одно поле выбора режима доступа.

Вы можете создать затем дополнительные правила на том же самом объекте, чтобы дать конкретные права некоторым группам.

Правила записи для объектов

Record rules determine who can access the objects, depending on the rules set for the particular object. A record rule has some tests to be performed on objects.

You can manage four access modes on objects independently, depending on the test:

  • Доступ на чтение(Read access) : может читать данные объекта,

  • Доступ на создание (Create access : может создавать новую запись в объекте,

  • Доступ на запись (Write access) : может изменять содержимое записей объекта,

  • Доступ на удаление (Delete access) : может удалять записи из объекта,

To configure a rule on an object, use the menu Settings ‣ Security ‣ Record Rules. The fields in the ir.rule object describe:

  • Объект (Object) : Объект, к которому относится правило

  • Название (Name) : Название правила

  • Global : If global is checked, then that rule would be applied for all the groups; and if it is unchecked, then that rule would be applied only for the groups selected for it.

  • Domain : A list of all the tests for the object. It is specified through a Python expression as a list of tuples.

    • If there are multiple tests on same object, then all of them are joined using AND operator, and depending on the result the rule would be satisfied

    • If there are multiple rules on same object, then all of them are joined using OR operator

  • Режимы доступа (Access Modes) : Чтение, Запись, Создание, Удаление, как описано выше

    • Если отмечен только один режим доступа, то будет применен только этот режим

    • If all of them are checked, then all the access modes would be applied

    But at least one access mode has to be checked, all of them cannot be unchecked. If all of them are unchecked, it would raise an exception.

For example : We can have a rule defined on res.partner object, which tests if the user is the dedicated salesman of the partner [('user_id', '=',]. We check only the create and write access modes and keep other access modes unchecked.

This would mean that a user in the group for which the rule is applied can only create/write records where he himself serves as the dedicated salesman, and cannot create/write records where he is not the dedicated salesman. As other access modes are unchecked, the user can read/delete the records of partners where he is not the dedicated salesman.

Modification History


Partner Record History

Each record in an OpenERP database carries a note of its history. You can find out who it was created by and when that occurred, and who last modified it and when that occurred. Click the View Log link from More button to display a logs related to that record, as shown in the figure Partner Record History. It can help you identify who to contact if there are any problems with the data in the records. Before that you have to define log rule using Reporting ‣ Audit ‣ Audit Rules.


Записи аудита

OpenERP has an Audit Trail module audittrail, which can be used to track any or all of the changes to one or more objects. It should be used with care, because it can generate huge amounts of data in the live database, but can be an invaluable tool.