Access rights govern what a user can do with a kind of record. But often a user should access only some particular records of that kind. Record rules govern that. This piece explains record rules in Odoo.
Beyond the kind of record
Access rights govern access at the level of the kind of record, the model: they say a kind of user can, or cannot, read, create, change, delete that kind of record. But often that is not fine enough. A user might be allowed to access a kind of record in general, but should only genuinely access some particular records of that kind, the ones that genuinely concern them, their own, their department's, not every record of that kind. Governing which particular records, not just which kinds, is what record rules do.
What a record rule is
A record rule, in Odoo, governs which particular records of a kind a user can access. Where access rights say "this kind of user can access this kind of record", a record rule adds "and, of that kind, the particular records they can access are these", defined by some condition. So a record rule narrows access from the whole kind of record to the particular records that genuinely concern the user. Record rules are the finer-grained layer of security, governing access at the level of which records, not just which kinds.
Why record rules matter
Record rules matter because, often, a user genuinely should access only some records of a kind, and without record rules, the access would be too broad. If a user is allowed a kind of record in general but should only see the records that genuinely concern them, then access rights alone, governing only the kind, would let them access all of that kind, which is more than their role genuinely warrants. A record rule corrects that, narrowing the access to the genuine, appropriate set. Record rules are how a business ensures that users access not just the kinds of record their role warrants but the particular records their role warrants. They are essential to access being genuinely matched to the role.
Record rules and access rights together
Record rules work together with access rights. Access rights govern, broadly, which kinds of record a user can do what with. Record rules narrow that, where needed, to which particular records. Together they govern access at both levels: the kind, and, within the kind, the particular records. A developer setting up security for a kind of record sets the access rights and, where users should genuinely access only some records of that kind, the record rules, so that, between the two, access is genuinely matched to what each user's role warrants.
Use record rules where access should be narrowed
An honest note. Record rules are for the cases where access genuinely should be narrowed to particular records. A developer should use record rules where a kind of user should genuinely access only some records of a kind, the ones that concern them, so that access is genuinely appropriate. Where a kind of user should genuinely access all records of a kind, no record rule narrowing is needed. Record rules should be used to make access genuinely match the role, applied where the role genuinely warrants access to only some records.
The takeaway
Record rules in Odoo govern which particular records of a kind a user can access, the finer-grained layer of security beyond access rights, which govern only the kind. A record rule narrows access from a whole kind of record to the particular records that genuinely concern the user. Record rules matter because, often, a user should genuinely access only some records of a kind, and without them the access would be too broad. Record rules and access rights together govern access at both levels, so it genuinely matches the role. For how we approach Odoo, see our ERP practice.