Step-by-Step Guide to Configuring ACLs in Odoo

Access Control Lists (ACLs) in Odoo are a fundamental part of securing your application. ACLs specify which models are accessible to whom and what they can do (read, write, create, delete).

Understanding the ACLs is necessary if you’re creating or modifying an Odoo module to guarantee appropriate data security and user role management.

In this blog, you will learn what ACLs are, how they work, and how to configure them.

What Are ACLs in Odoo?

Access Control Lists (ACLs) are rules that define permissions at the model level. They specify whether a user group can:

• Read records     
• Write (update) records
• Create new records
• Delete records

Each ACL rule connects:

• A model
• A user group
• A set of permissions

Security Layers in Odoo

Before we go into more detail, it’s important to know where ACLs fit into the bigger picture of security:

ACLs (Model-Level Access)

• Control whether a user can access a model at all  
• Define CRUD operations.

Record Rules (Row-Level Access)

• Control which records a user can access

Field-Level Access (Advanced)

• Restrict access to specific fields (via groups in views)

So basically ACLs act as the first gate—if access is denied here, nothing else matters.

ACL Structure

ACLs are defined using a CSV file, typically named:       ir.model.access.csv

Key Concepts

Before configuring ACLs, you should understand:

Models

Models represent database tables (e.g., res.partner, sale.order).

Groups

Permissions are assigned to user groups (e.g., Sales User, Inventory Manager).

Permissions

Each ACL defines four permissions:

• perm_read           
• perm_write        
• perm_create         
• perm_unlink

Step 1: Create the ACL File

Inside your module, create a file: security/ir.model.access.csv

Step 2: Define ACL Rules

Here’s the structure of the CSV file: id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink

Example:

Explanation:

Field	Description
id	Unique identifier
name	Description of the rule
model_id:id	Model name reference
group_id:id	User group
Permissions	1 = allowed, 0 = denied

Step 3: Load the ACL File

Make sure your CSV file is included in the module manifest (__manifest__.py):

‘data’: [

    ‘security/ir.model.access.csv’,

],

Step 4: Assign Users to Groups

ACLs only work when users belong to groups.

To assign users:

1. Go to Settings  
2. Open Users & Companies → Users
3. Select a user
4. Assign appropriate groups

Real-World Example

Let’s say you’re building a Library Management System with a model: library.book

Scenario:

• Librarians → Full access
• Members → Read-only access

Security group configuration:

Groups are defined in XML files, typically:      security/security.xml

Example:

<record id="group_librarian" model="res.groups"> 
    <field name="name">Librarian</field> 
    <field name="category_id" ref="base.module_category_hidden"/> </record> 

ACL Configuration: access_library_book_user,library.book user,model_library_book,base.group_user,1,0,0,0

access_library_book_manager,library.book.manager,model_library_book,library.group_librarian,1,1,1,1

Result:

User Type	Permissions
Member	Can only view books
Librarian	Full control

Important Notes

1. No ACL = No Access

If no ACL is defined for a model, users (except superuser) cannot access it.How to Configure ACLs in Odoo (Step-by-Step Guide)

2. ACLs Are Additive

If a user belongs to multiple groups, permissions are combined.

Example:

Group A: Read only   

Group B: Write only

 User gets both read + write  access

ACL vs Record Rules

ACLs control model-level access, but sometimes you need more control over user actions. That’s where Record Rules come in:

• They filter access at the record level
• Example: A user can only see their own records

Use both together for complete security.

Common Mistakes

• Forgetting to include ACL file in manifest           
• Incorrect model reference (e.g., missing model_  prefix)
• Assigning ACL to wrong group
• Not restarting/updating module after changes

Updating Changes

After modifying ACLs:

1. Restart Odoo server
2. Upgrade your module:

Testing ACLs

Always test with:

• Different users
• Different groups
• Real scenarios (create/edit/delete)

Avoid testing only with admin—it bypasses restrictions.

Best Practices

• Use least privilege principle      
• Create custom groups for better control
• Combine ACLs with record rules
• Document your security logic

ACLs in Odoo are more than just a file that sets up your application; ACLs are the main part of its security model. When used correctly, they make sure that users can only work with data in ways that are appropriate for their roles.

Setting up ACLs in Odoo is important for making applications that are safe and can grow. You can make sure that users only see the data they need to by correctly defining access rights, assigning groups, and combining ACLs with record rules.

You can make strong, safe, and professional Odoo apps by learning how to use ACLs and combining them with record rules. Acls make the apps safer, make the user experience better by stopping people from doing things they shouldn’t.