Access control¶
Every external API request executes as the API-key user. The generated model catalog describes metadata visible to the snapshot user; it does not bypass security for another user.
Security layers¶
- Model access rights decide whether groups may read, create, write, or delete a model.
- Record rules filter which records the user may access for each operation.
- Field groups can hide or protect individual fields.
- Company access restricts company-dependent records and values.
- Business logic can reject an otherwise permitted mutation because of state or validation rules.
An empty search result may mean no matching records, or it may mean record rules filtered every match. A successful read does not imply create or write permission.
Integration design rules¶
- Create a least-privilege integration user.
- Test with the same identity and company context used in production.
- Treat
sudo-style server-side code as a separate, reviewed trust boundary. - Do not retry
403errors automatically. - Keep auditable correlation IDs between the calling system and resulting Odoo records.
- Re-test permissions after group, record-rule, or multi-company changes.
See Odoo's security reference for the framework model.