Who is allowed to view certain information? Who can see or perform specific processes, and how do comprehensive evaluations fit in?
Access rights are an essential topic that we encounter frequently. This article briefly outlines the individual access rights associated with the accounting module in Odoo.
Access rights have remained largely consistent across several Odoo versions, with only terminology changes. Therefore, we will compare the wording used in Odoo 18 with that in Odoo 17.
If you have explored either of these two versions, you may have noticed five access options to choose from:
Odoo 18 | Odoo 17 |
|
|
It is worth noting that the “Bookkeeper“ role appears in both
lists but at different access levels. In Odoo 18, the “Bookkeeper“
in Odoo 17 has been updated to” Invoicing & Banks“.
Additionally, a new access level called “Bank “has been introduced, which retains the same name in both versions 17 and 18:
However, there is one slight exception regarding this module: “no
access right” is indeed one.
Let us
now examine the options and their components in detail.
Invoicing / Billing
This category can perhaps best be described using classic role titles such as “Accounts Receivable Accountant,” “Accounts Payable Accountant,” or simply “Sub-Ledger Accountant.” It involves the recording and checking of both outgoing and incoming accounts, where Odoo facilitates the document creation, and the user is responsible for checking and posting them accordingly.
Consequently, the user group’s scope is relatively narrow, limited to the two menu items ”Customers“ and ”Vendors“:
The reporting menu is, therefore, also minimal, providing only
insights into the evaluation of outgoing and incoming invoices and
the change log:
Read-only
In earlier Odoo versions, this role was referred to as “Auditor, “but it has since been expanded. The previous role had a minimal view of the financial reports, which has now significantly increased, as illustrated in the screenshot below:
However, this role only represents the most critical data in the
overview of postings, allowing access only to primary information for
the financial reports:
Checking the role in the backend reveals that reading rights are
consistently applied across the entire accounting data model.
A quick review of an existing transaction shows that no processing options (such as editing or posting) are displayed, confirming the configuration of the security group:
Conclusion: Nomen est omen.
Invoicing & Banking / Bookkeeper
This group has notably expanded its range of functions. Upon switching to accounting, the dashboard displays a summary of journal movements per journal/book:
The display is visualized as a bar or line chart, depending on the
journal.
The
configuration of this security group builds on the previous one,
extending it to include the management of direct debit mandates and
the ability to import and post account statements, making it more
comprehensive than before:
Bookkeeper / Accountant
We are nearing the top of the hierarchy. Anyone familiar with Odoo’s concept of access rights will notice that a distinction is typically made between users and administrators for each module. In accounting, the user role has been further divided, with the “bookkeeper” being the highest user. This role has access to full accounting and financial accounting functionalities, as reflected in the comprehensive menu options available:
They include assets, accruals, depreciation, and analytical
accounting (known as cost center or cost unit accounting in Odoo):
The only limitations are (of course) related to configuration
settings and the ability to close periods, meaning users can only
prepare for month-end procedures.
Administrator / Consolidation User
Next, we reach the top role: the Administrator. As the title
suggests, this administrative role provides access to extensive
sections of the module’s configuration. Additionally, as mentioned
earlier, this is the only security group authorized to close and, if
necessary, reopen accounting periods.
The access right that does not exist
As indicated above, there exists an access right that is integral to the overall structure and is even one of its most influential groups within the process: the “Preparatory Accounting“ group. This group includes users in sales and purchasing who create orders that will lead to outgoing invoices or manage orders for which incoming invoices are entered and assigned.
Interestingly, members of this group do not have any entries in the shortlist of access rights for accounting. Here’s how it works:
Users without access rights can create draft invoices for their
orders (see menu item ”Sales to invoice“ in Sales) or view,
check, and approve incoming invoice proposals for their orders.
However, these users cannot access the accounting directly; they are only able to see documents associated with their transactions. If you test this scenario, you will notice that the “Accounting“ module is absent from the home screen. Nevertheless, the SmartButton for invoices still appears on an order, and related receipts can be reviewed:
And here is the receipt:
Conclusion: This is how security should be implemented!
Bank / Validate bank account
If you examine this group, you will find it empty. This type of group is often linked to specific functionalities within the system that are not intended for general access. When a user opens such a view, Odoo will check whether the user is a member of this group and, consequently, whether they are permitted to use the corresponding function.
In our case, it refers to a minor feature in creating bank accounts, but it is more interesting with regard to supplier/creditor accounts used for transferring funds. When creating such an account, there is an option called “Send Money, “which indicates that the account has been verified and is eligible for payments:
This option can only be activated, designating the account as
“Trusted,“ if the user can access the “Bank/Validate bank
account“ function.
This
specific access right was introduced with Odoo 16.
The contact overview
Managing access rights in the address book, particularly concerning customers or debtors with overdue balances, remains an important consideration. For instance, when a user has full access rights to accounting, they can view the turnover date (indicated by the “Invoiced” SmartButton) as well as any overdue amounts, such as an outstanding balance of $231.4:
This information is accessible from the lowest accounting profile;
however, a standard user profile cannot access this data through the
address book – only through the sales or purchasing modules:
To impose consequences on customers from the accounting perspective,
it is advisable to utilize the “Credit Limit“ or ”Internal
Notes“ functions, including a Warning or Blocking Message. Note
that these functions are not enabled by default and must be activated
via the Sales settings.
The credit limit feature triggers a prominent banner that appears when creating or entering new offers and orders in Sales, alerting users that the limit for open items has been exceeded.
In the
case of a Warning Message, a pop-up notification can be stored for
the user, but further processing of transactions is still possible.
Conversely, a Blocking message, as the subsequent escalation, will
prevent the creation of any new transactions.
Conclusion
In summary, Odoo has attentively responded to user feedback within the accounting sector over the years, refining its approach to access rights. This meticulous structuring meets the principles of data economy and enhances auditing capabilities, expanding the range of applications available to both small and large accounting teams.
If you are interested in learning more about utilizing Odoo in your company, please contact us for additional information!