Access in Odoo is governed by access rights and record rules, but those are not set user by user. They are organised through security groups. This piece is about security groups in Odoo.
The problem of organising access
A business has many users, and access, what each can do and see, has to be governed for all of them. But governing access genuinely user by user, setting each individual user's every permission individually, would be unmanageable, and it would not reflect the reality, which is that users fall into kinds, kinds of role, and users of the same kind should genuinely have the same access. Security groups are how access is organised to reflect that.
What a security group is
A security group, in Odoo, is a way of organising a kind of user, and the access that kind of user has. A group corresponds to a kind of user, or a kind of access, and the access, the access rights, the record rules, is associated with the group. A user is then given the groups appropriate to them, and through the groups, the user gets the access those groups carry. So a security group is, in essence, a bundle of access that corresponds to a role or a kind of user.
Why security groups help
Security groups help because they let access be governed by role rather than user by user. Instead of setting every individual user's permissions individually, the access is organised into groups, by kind of user, and a user is given the appropriate groups. This is far more manageable, the access is defined once, per group, not per user, and it genuinely reflects reality, that users of the same kind should have the same access. Security groups turn governing access from an unmanageable, user-by-user task into a manageable matter of defining the groups and assigning each user the groups their role warrants.
Security groups and matching access to the role
Security groups are how the principle of access matching the role is genuinely put into practice. A group corresponds to a role, or kind of user, and carries the access that role genuinely warrants. Giving a user the groups appropriate to their role gives them the access their role genuinely warrants. So security groups are the mechanism by which access is genuinely matched to roles: the groups define the access of each role, and assigning users to groups gives each user their role's access. Managing users and access well is, in large part, managing the security groups well, so the groups genuinely correspond to the roles and carry the genuinely appropriate access.
The takeaway
Security groups in Odoo are the way kinds of users and their access are organised. A security group corresponds to a kind of user or role, and the access, the access rights and record rules, is associated with the group; a user is given the groups appropriate to them and gets their access through the groups. Security groups help because they let access be governed by role rather than user by user, which is manageable and reflects reality. They are the mechanism by which access is genuinely matched to roles. For how we approach Odoo, see our ERP practice.