A Plain-English Guide to Odoo User Roles, Permissions, and Access Rights
One of the most overlooked parts of an Odoo implementation is setting up user access correctly. Most businesses start with everyone having admin-level access, which works fine when you're a team of three. But as the team grows, you need to make sure that salespeople can't edit accounting records, warehouse staff aren't modifying product prices, and managers have the reporting visibility they need without giving everyone the keys to the entire system.
How Odoo Handles Access
Odoo uses a group-based permissions model. Every user is assigned to one or more groups, and each group has a defined set of permissions for each module. Permissions are layered: within a given module, a user can typically be set to no access, read-only, limited write access, or full administrative access.
For example, in the Sales module, you might configure a salesperson to create and manage their own quotations and orders but not see other salespeople's pipelines. A sales manager would have access to the full team's pipeline plus reporting. An administrator would have full configuration access.
Module-Level vs. Record-Level Access
Odoo's permissions operate at two levels. Module-level access controls which apps a user can see and interact with. If someone doesn't need access to Accounting, you simply don't add them to the accounting group — the module won't appear in their menu at all.
Record-level access rules control what a user can see within a module they do have access to. This is where you can set up rules like "salespeople only see their own leads" or "project managers see all projects in their department but not other departments." Record rules are powerful but need to be configured thoughtfully to avoid accidentally blocking access to information people need to do their jobs.
Common Role Configurations
Most businesses end up with a handful of standard roles. A typical setup might include a sales role (CRM and sales orders, limited inventory visibility), an operations role (inventory, purchasing, and manufacturing), a finance role (accounting, invoicing, and reporting), a project delivery role (project management, timesheets, and limited CRM visibility), and an administrator role (full access to all modules and settings).
The specific permissions within each role vary by business, but starting with a clear role structure prevents the gradual creep of everyone-has-access-to-everything that most growing businesses experience.
Multi-Company Access
For businesses operating multiple companies within a single Odoo database, permissions become even more important. Users can be granted access to one company, multiple companies, or all companies. Financial records, inventory, and customer data can be isolated by company so that employees in one entity can't access records belonging to another.
This is particularly relevant for holding companies, franchise operations, and businesses with separate legal entities for different markets or business lines.
Best Practices
Set up roles before you add users. It's much easier to assign someone to a pre-defined role than to configure permissions on a user-by-user basis. Review access rights quarterly as your team grows and roles change. And test new configurations by logging in as a test user with the assigned role to verify that they can see what they need and nothing they shouldn't.
At Custom Pixel Design, we configure user roles and permissions as part of every implementation. If your current Odoo setup has grown organically and permissions are a mess, we can audit and clean them up. Get in touch.