Field level access rights and Security in openerp 7

Question

Suppose I have 3 users which are as follows:

user_employee having access rights Human Resource /Employee group
user_officer having access rights Human Resource /officer group
user_manager having access rights Human Resource /manager group 

For object hr_employee(hr.employee)

If I am logged in as user_manager or user_officer I can create/edit my own employee record. If I am logged in as user_employee I cannot edit my own employee record.

Then I gave write permission to Human Resource/Employee group and now I can edit all fields which are related to hr_employee, but I want to restrict edit access to users which are under Human Resource/Employee group to certain fields; for example if user_employee is logged in then he is not able to edit department_id or related_user, or coach_id, active, manager, etc.

He can edit just his name, address, DOB, and other public information.

How can I solve this issue with security folder files like .xml or .csv files?

Answer 1

The .xml and .csv files provide security settings on a broader scale: create, read, update, and delete.

If you want per field settings instead you'll have to play around with the xml view file. Check out the domain settings.

Something like:

<field name="DOB" attrs="{'readonly':[('groups_id.category_id.name','=','Human Resource')]}"/>

The above is not restrictive enough, but hopefully will give you the idea.

As convenient as this might be, I don't think it's a good idea. Depending on the laws of where your company is located, the company can be responsible for the accuracy of that data. Having the employee present evidence of any changes to somebody in HR can be a good thing.